Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Neverlose.cc-unpadded.exe

Overview

General Information

Sample name:Neverlose.cc-unpadded.exe
Analysis ID:1581521
MD5:f597948f04be76e6acbd59ed828276aa
SHA1:6e702cc562321343e0528a7f78e19cc40c46e6af
SHA256:7a0e67b82fbc363758a2b4b61cd6042aab6a88ae9dc955e40c84cc56bf69d692
Tags:exeLummaStealeruser-ventoy
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Neverlose.cc-unpadded.exe (PID: 6520 cmdline: "C:\Users\user\Desktop\Neverlose.cc-unpadded.exe" MD5: F597948F04BE76E6ACBD59ED828276AA)
    • conhost.exe (PID: 6592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Neverlose.cc-unpadded.exe (PID: 4144 cmdline: "C:\Users\user\Desktop\Neverlose.cc-unpadded.exe" MD5: F597948F04BE76E6ACBD59ED828276AA)
    • WerFault.exe (PID: 3704 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 316 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["discokeyus.lat", "grannyejh.lat", "rapeflowwj.lat", "energyaffai.lat", "crosshuaht.lat", "aspecteirs.lat", "necklacebudi.lat", "sustainskelet.lat", "bellflamre.click"], "Build id": "LPnhqo--utgsudapuzph"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-12-28T00:21:58.492101+010020283713Unknown Traffic192.168.2.44973223.55.153.106443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-12-28T00:21:55.692362+010020583541Domain Observed Used for C2 Detected192.168.2.4553161.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-12-28T00:21:53.866404+010020582121Domain Observed Used for C2 Detected192.168.2.4614701.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-12-28T00:21:56.317544+010020583581Domain Observed Used for C2 Detected192.168.2.4648131.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-12-28T00:21:54.558129+010020583601Domain Observed Used for C2 Detected192.168.2.4627161.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-12-28T00:21:55.294655+010020583621Domain Observed Used for C2 Detected192.168.2.4636711.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-12-28T00:21:54.088544+010020583641Domain Observed Used for C2 Detected192.168.2.4653801.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-12-28T00:21:54.963519+010020583701Domain Observed Used for C2 Detected192.168.2.4613281.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-12-28T00:21:56.631327+010020583741Domain Observed Used for C2 Detected192.168.2.4601841.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-12-28T00:21:56.084736+010020583761Domain Observed Used for C2 Detected192.168.2.4600321.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-12-28T00:21:59.484316+010028586661Domain Observed Used for C2 Detected192.168.2.44973223.55.153.106443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 00000000.00000002.1916711517.0000000002DDA000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["discokeyus.lat", "grannyejh.lat", "rapeflowwj.lat", "energyaffai.lat", "crosshuaht.lat", "aspecteirs.lat", "necklacebudi.lat", "sustainskelet.lat", "bellflamre.click"], "Build id": "LPnhqo--utgsudapuzph"}
    Multi AV Scanner detection for submitted file
    Source: Neverlose.cc-unpadded.exeReversingLabs: Detection: 57%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 84.7% probability
    Machine Learning detection for sample
    Source: Neverlose.cc-unpadded.exeJoe Sandbox ML: detected
    Sample uses string decryption to hide its real strings
    Source: 00000002.00000002.1708620557.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: rapeflowwj.lat
    Source: 00000002.00000002.1708620557.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: crosshuaht.lat
    Source: 00000002.00000002.1708620557.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: sustainskelet.lat
    Source: 00000002.00000002.1708620557.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: aspecteirs.lat
    Source: 00000002.00000002.1708620557.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: energyaffai.lat
    Source: 00000002.00000002.1708620557.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: necklacebudi.lat
    Source: 00000002.00000002.1708620557.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: discokeyus.lat
    Source: 00000002.00000002.1708620557.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: grannyejh.lat
    Source: 00000002.00000002.1708620557.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: bellflamre.click
    Source: 00000002.00000002.1708620557.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
    Source: 00000002.00000002.1708620557.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
    Source: 00000002.00000002.1708620557.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
    Source: 00000002.00000002.1708620557.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
    Source: 00000002.00000002.1708620557.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
    Source: 00000002.00000002.1708620557.000000000043E000.00000040.00000400.00020000.00000000.sdmpString decryptor: LPnhqo--utgsudapuzph
    Source: Neverlose.cc-unpadded.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49732 version: TLS 1.2
    Source: Neverlose.cc-unpadded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 0_2_002A63B5 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_002A63B5
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_002A6304 FindFirstFileExW,2_2_002A6304
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_002A63B5 FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_002A63B5
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx ecx, byte ptr [ebp+eax-10h]2_2_0043A55A
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then cmp dword ptr [edx+ebx*8], AF697AECh2_2_00439BE8
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], E1A2961Bh2_2_00439F2D
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h2_2_00429070
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov byte ptr [esi], al2_2_0042A03C
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov ecx, eax2_2_0042B0DE
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx ecx, byte ptr [esi]2_2_0042B0DE
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov ecx, eax2_2_00429E89
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx ecx, byte ptr [esi]2_2_00429E89
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx ebx, byte ptr [ecx+edx]2_2_00439140
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h2_2_00422154
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h2_2_004221FE
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx eax, byte ptr [esp+ebx+06h]2_2_00409270
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then push esi2_2_00420273
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then push A0E75166h2_2_0040B215
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov byte ptr [eax], bl2_2_0040E2D5
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx ebx, byte ptr [esp+esi+2B788957h]2_2_0040E2D5
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx ebp, byte ptr [esp+ecx+38h]2_2_0040C2DA
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov eax, ebx2_2_004282E8
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+68C964F4h]2_2_0041B2AA
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov dword ptr [esi], 97969554h2_2_0043A35B
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-5C2FB1A1h]2_2_0040C37A
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh2_2_00424330
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov word ptr [eax], cx2_2_004153FC
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx ecx, word ptr [ebx+eax]2_2_00421380
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+06h]2_2_00421380
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 5E874B5Fh2_2_004253A0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov eax, ebx2_2_004253A0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov ecx, edx2_2_0043C410
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then lea esi, dword ptr [eax-01h]2_2_00419490
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then lea esi, dword ptr [eax-01h]2_2_00419490
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then lea esi, dword ptr [eax-01h]2_2_00419490
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]2_2_004074A0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]2_2_004074A0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then jmp eax2_2_004245DE
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0042760C
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-6Ah]2_2_00438620
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov byte ptr [ebp+00h], al2_2_0041D6F0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]2_2_004256A0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov byte ptr [esi], cl2_2_0042A749
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov byte ptr [esi], cl2_2_0042A749
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov ecx, eax2_2_0042B771
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx ebx, byte ptr [edx]2_2_00432770
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx eax, word ptr [ebp+00h]2_2_00436770
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-3A16D4AFh]2_2_0043B720
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov edx, ecx2_2_0042A80B
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov ecx, eax2_2_0042A80B
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov edi, ecx2_2_0040C830
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+000003B2h]2_2_004298A0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov ebx, eax2_2_00405940
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov ebp, eax2_2_00405940
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx edx, byte ptr [ebp+00h]2_2_004029D0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h2_2_004389F0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], A2347758h2_2_004389F0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov ebx, edi2_2_0041CA40
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then lea edx, dword ptr [eax+00000270h]2_2_00408A50
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]2_2_00428AF0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-00000085h]2_2_00418BE7
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh2_2_00426B8E
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], E785F9BAh2_2_00414C4E
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov byte ptr [edi], cl2_2_0041AC1D
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+00000120h]2_2_0040CCC5
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov word ptr [esi], cx2_2_00417CE5
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx edx, byte ptr [ecx]2_2_00415CFC
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+00000120h]2_2_0040DCA0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], E785F9BAh2_2_00414D45
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov ecx, ebx2_2_00427D4D
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], E785F9BAh2_2_00427D4D
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx ebx, byte ptr [esi+ecx+48EF6323h]2_2_00439DD7
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then test eax, eax2_2_00435E40
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then add ecx, FFFFFFFEh2_2_00435E40
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], E785F9BAh2_2_00414D40
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov ecx, eax2_2_00429ECA
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx ecx, byte ptr [esi]2_2_00429ECA
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]2_2_00402F40
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then jmp ecx2_2_00422F44
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], 4E935B1Fh2_2_00421F0E
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], 4E935B1Fh2_2_00421F10
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 4x nop then mov byte ptr [edi], bl2_2_00408FE0

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.4:65380 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2058362 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat) : 192.168.2.4:63671 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2058376 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat) : 192.168.2.4:60032 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.4:62716 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2058212 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellflamre .click) : 192.168.2.4:61470 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2058358 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat) : 192.168.2.4:64813 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2058374 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat) : 192.168.2.4:60184 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2058370 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat) : 192.168.2.4:61328 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2058354 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat) : 192.168.2.4:55316 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49732 -> 23.55.153.106:443
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: discokeyus.lat
    Source: Malware configuration extractorURLs: grannyejh.lat
    Source: Malware configuration extractorURLs: rapeflowwj.lat
    Source: Malware configuration extractorURLs: energyaffai.lat
    Source: Malware configuration extractorURLs: crosshuaht.lat
    Source: Malware configuration extractorURLs: aspecteirs.lat
    Source: Malware configuration extractorURLs: necklacebudi.lat
    Source: Malware configuration extractorURLs: sustainskelet.lat
    Source: Malware configuration extractorURLs: bellflamre.click
    Source: Joe Sandbox ViewIP Address: 23.55.153.106 23.55.153.106
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 23.55.153.106:443
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708285777.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=0c1e0a6bc3b5000ab161dc80; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 27 Dec 2024 23:21:59 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control-f equals www.youtube.com (Youtube)
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=0c1e0a6bc3b5000ab161dc80; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 27 Dec 2024 23:21:59 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control]](}(1 equals www.youtube.com (Youtube)
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: captcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
    Source: global trafficDNS traffic detected: DNS query: bellflamre.click
    Source: global trafficDNS traffic detected: DNS query: grannyejh.lat
    Source: global trafficDNS traffic detected: DNS query: discokeyus.lat
    Source: global trafficDNS traffic detected: DNS query: necklacebudi.lat
    Source: global trafficDNS traffic detected: DNS query: energyaffai.lat
    Source: global trafficDNS traffic detected: DNS query: aspecteirs.lat
    Source: global trafficDNS traffic detected: DNS query: sustainskelet.lat
    Source: global trafficDNS traffic detected: DNS query: crosshuaht.lat
    Source: global trafficDNS traffic detected: DNS query: rapeflowwj.lat
    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708876176.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708419298.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708876176.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708419298.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708876176.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708419298.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
    Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708876176.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708419298.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708876176.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708419298.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000002.1708759264.0000000000D4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708876176.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708419298.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708759264.0000000000D4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708285777.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708392846.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708285777.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708392846.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708876176.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708419298.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shopP
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708285777.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708392846.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/re
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1708336299.0000000000D74000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
    Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49732 version: TLS 1.2
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 0_2_002810000_2_00281000
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 0_2_002987410_2_00298741
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 0_2_0029E9300_2_0029E930
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 0_2_002ABA420_2_002ABA42
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 0_2_00299B400_2_00299B40
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 0_2_002A9C730_2_002A9C73
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 0_2_00293CDF0_2_00293CDF
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_002810002_2_00281000
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_002987412_2_00298741
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0029E9302_2_0029E930
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_002ABA422_2_002ABA42
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_00299B402_2_00299B40
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_002A9C732_2_002A9C73
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_00293CDF2_2_00293CDF
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004086902_2_00408690
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0040B9AF2_2_0040B9AF
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004120102_2_00412010
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0042A03C2_2_0042A03C
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004340EF2_2_004340EF
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004160F12_2_004160F1
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004350902_2_00435090
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0041D1702_2_0041D170
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004381102_2_00438110
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004092702_2_00409270
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0041C2002_2_0041C200
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004062302_2_00406230
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0040E2D52_2_0040E2D5
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004282E82_2_004282E8
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004043002_2_00404300
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0042D32A2_2_0042D32A
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004213802_2_00421380
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004253A02_2_004253A0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004353A02_2_004353A0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0042E4402_2_0042E440
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004264002_2_00426400
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0043C4102_2_0043C410
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0042B4292_2_0042B429
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004194902_2_00419490
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0040D49A2_2_0040D49A
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004074A02_2_004074A0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0041D4B02_2_0041D4B0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004066C02_2_004066C0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0041D6F02_2_0041D6F0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0043C6A02_2_0043C6A0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0042A7492_2_0042A749
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0041876C2_2_0041876C
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004207202_2_00420720
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0040D7382_2_0040D738
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0041E7F02_2_0041E7F0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0041A7902_2_0041A790
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004348702_2_00434870
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0040C8302_2_0040C830
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004158D62_2_004158D6
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004059402_2_00405940
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004039502_2_00403950
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0043395D2_2_0043395D
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0042A9C42_2_0042A9C4
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_004389F02_2_004389F0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0043C9902_2_0043C990
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0040A9B02_2_0040A9B0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0041CA402_2_0041CA40
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0042AA622_2_0042AA62
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_00434AD02_2_00434AD0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_00418BE72_2_00418BE7
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_00402B902_2_00402B90
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0040FC0A2_2_0040FC0A
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_00404C302_2_00404C30
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_00414D452_2_00414D45
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0041CD602_2_0041CD60
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0042FD602_2_0042FD60
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_00435E402_2_00435E40
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_00414D402_2_00414D40
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_00429ECA2_2_00429ECA
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_00402F402_2_00402F40
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0040CF2B2_2_0040CF2B
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_00408FE02_2_00408FE0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_00420FA02_2_00420FA0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: String function: 0029D05E appears 42 times
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: String function: 002941E0 appears 94 times
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: String function: 004145B0 appears 76 times
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: String function: 002A14C4 appears 34 times
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: String function: 00407FE0 appears 76 times
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 316
    Source: Neverlose.cc-unpadded.exe, 00000000.00000000.1643571999.000000000030C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRpcPing.exej% vs Neverlose.cc-unpadded.exe
    Source: Neverlose.cc-unpadded.exe, 00000000.00000002.1916711517.0000000002DDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRpcPing.exej% vs Neverlose.cc-unpadded.exe
    Source: Neverlose.cc-unpadded.exe, 00000002.00000000.1649046240.000000000030C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRpcPing.exej% vs Neverlose.cc-unpadded.exe
    Source: Neverlose.cc-unpadded.exe, 00000002.00000003.1649606851.0000000002817000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRpcPing.exej% vs Neverlose.cc-unpadded.exe
    Source: Neverlose.cc-unpadded.exeBinary or memory string: OriginalFilenameRpcPing.exej% vs Neverlose.cc-unpadded.exe
    Source: Neverlose.cc-unpadded.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: Neverlose.cc-unpadded.exeStatic PE information: Section: .bss ZLIB complexity 1.000329525483304
    Source: classification engineClassification label: mal100.troj.evad.winEXE@5/5@10/1
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_03
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6520
    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\d857174c-f25f-488d-be05-258f137f66b4Jump to behavior
    Source: Neverlose.cc-unpadded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: Neverlose.cc-unpadded.exeReversingLabs: Detection: 57%
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeFile read: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\Neverlose.cc-unpadded.exe "C:\Users\user\Desktop\Neverlose.cc-unpadded.exe"
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeProcess created: C:\Users\user\Desktop\Neverlose.cc-unpadded.exe "C:\Users\user\Desktop\Neverlose.cc-unpadded.exe"
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 316
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeProcess created: C:\Users\user\Desktop\Neverlose.cc-unpadded.exe "C:\Users\user\Desktop\Neverlose.cc-unpadded.exe"Jump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: webio.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeSection loaded: dpapi.dllJump to behavior
    Source: Neverlose.cc-unpadded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
    Source: Neverlose.cc-unpadded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: Neverlose.cc-unpadded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: Neverlose.cc-unpadded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: Neverlose.cc-unpadded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: Neverlose.cc-unpadded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: Neverlose.cc-unpadded.exeStatic PE information: real checksum: 0x8ed9b should be: 0x8ee93
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 0_2_00294303 push ecx; ret 0_2_00294316
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_00294303 push ecx; ret 2_2_00294316
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0043B250 push eax; mov dword ptr [esp], 86858453h2_2_0043B253
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-20774
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeAPI coverage: 2.3 %
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exe TID: 1772Thread sleep time: -90000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exe TID: 2304Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 0_2_002A63B5 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_002A63B5
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_002A6304 FindFirstFileExW,2_2_002A6304
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_002A63B5 FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_002A63B5
    Source: Amcache.hve.5.drBinary or memory string: VMware
    Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
    Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
    Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
    Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
    Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
    Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708908241.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708336299.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
    Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
    Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.5.drBinary or memory string: vmci.sys
    Source: Amcache.hve.5.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
    Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
    Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
    Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.5.drBinary or memory string: VMware20,1
    Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
    Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
    Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
    Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
    Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
    Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
    Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
    Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
    Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
    Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
    Source: Neverlose.cc-unpadded.exe, 00000002.00000002.1708759264.0000000000D2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
    Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_00439AF0 LdrInitializeThunk,2_2_00439AF0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 0_2_00294073 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00294073
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 0_2_002BC19E mov edi, dword ptr fs:[00000030h]0_2_002BC19E
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 0_2_002816A0 mov edi, dword ptr fs:[00000030h]0_2_002816A0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_002816A0 mov edi, dword ptr fs:[00000030h]2_2_002816A0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 0_2_002A1DBC GetProcessHeap,0_2_002A1DBC
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 0_2_00294067 SetUnhandledExceptionFilter,0_2_00294067
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 0_2_00294073 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00294073
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 0_2_00293CB7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00293CB7
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 0_2_0029CDB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0029CDB0
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_00294067 SetUnhandledExceptionFilter,2_2_00294067
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_00294073 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00294073
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_00293CB7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00293CB7
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 2_2_0029CDB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0029CDB0

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Contains functionality to inject code into remote processes
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 0_2_002BC19E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_002BC19E
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeMemory written: C:\Users\user\Desktop\Neverlose.cc-unpadded.exe base: 400000 value starts with: 4D5AJump to behavior
    LummaC encrypted strings found
    Source: Neverlose.cc-unpadded.exe, 00000000.00000002.1916711517.0000000002DDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: rapeflowwj.lat
    Source: Neverlose.cc-unpadded.exe, 00000000.00000002.1916711517.0000000002DDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: crosshuaht.lat
    Source: Neverlose.cc-unpadded.exe, 00000000.00000002.1916711517.0000000002DDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: sustainskelet.lat
    Source: Neverlose.cc-unpadded.exe, 00000000.00000002.1916711517.0000000002DDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: aspecteirs.lat
    Source: Neverlose.cc-unpadded.exe, 00000000.00000002.1916711517.0000000002DDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: energyaffai.lat
    Source: Neverlose.cc-unpadded.exe, 00000000.00000002.1916711517.0000000002DDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: necklacebudi.lat
    Source: Neverlose.cc-unpadded.exe, 00000000.00000002.1916711517.0000000002DDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: discokeyus.lat
    Source: Neverlose.cc-unpadded.exe, 00000000.00000002.1916711517.0000000002DDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: grannyejh.lat
    Source: Neverlose.cc-unpadded.exe, 00000000.00000002.1916711517.0000000002DDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: bellflamre.click
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeProcess created: C:\Users\user\Desktop\Neverlose.cc-unpadded.exe "C:\Users\user\Desktop\Neverlose.cc-unpadded.exe"Jump to behavior
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: GetLocaleInfoW,0_2_002A11AC
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_002A566E
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: EnumSystemLocalesW,0_2_002A16A7
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: EnumSystemLocalesW,0_2_002A58BF
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_002A595A
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: EnumSystemLocalesW,0_2_002A5BAD
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: GetLocaleInfoW,0_2_002A5C0C
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: EnumSystemLocalesW,0_2_002A5CE1
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: GetLocaleInfoW,0_2_002A5D2C
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_002A5DD3
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: GetLocaleInfoW,0_2_002A5ED9
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: GetLocaleInfoW,2_2_002A11AC
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_002A566E
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: EnumSystemLocalesW,2_2_002A16A7
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: EnumSystemLocalesW,2_2_002A58BF
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_002A595A
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: EnumSystemLocalesW,2_2_002A5BAD
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: GetLocaleInfoW,2_2_002A5C0C
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: EnumSystemLocalesW,2_2_002A5CE1
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: GetLocaleInfoW,2_2_002A5D2C
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_002A5DD3
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: GetLocaleInfoW,2_2_002A5ED9
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeCode function: 0_2_002947EF GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,0_2_002947EF
    Source: C:\Users\user\Desktop\Neverlose.cc-unpadded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
    Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
    Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
    Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Native API    		1
    DLL Side-Loading    		211
    Process Injection    		2
    Virtualization/Sandbox Evasion    		OS Credential Dumping1
    System Time Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		211
    Process Injection    		LSASS Memory41
    Security Software Discovery    		Remote Desktop ProtocolData from Removable Media1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
    Deobfuscate/Decode Files or Information    		Security Account Manager2
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
    Obfuscated Files or Information    		NTDS1
    File and Directory Discovery    		Distributed Component Object ModelInput Capture113
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Software Packing    		LSA Secrets13
    System Information Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Neverlose.cc-unpadded.exe58%ReversingLabsWin32.Trojan.LummaStealer
    Neverlose.cc-unpadded.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    steamcommunity.com
    		23.55.153.106
    		truefalse
      		high
      sustainskelet.lat
      		unknown
      		unknownfalse
        		high
        crosshuaht.lat
        		unknown
        		unknownfalse
          		high
          rapeflowwj.lat
          		unknown
          		unknownfalse
            		high
            grannyejh.lat
            		unknown
            		unknownfalse
              		high
              aspecteirs.lat
              		unknown
              		unknownfalse
                		high
                bellflamre.click
                		unknown
                		unknownfalse
                  		high
                  discokeyus.lat
                  		unknown
                  		unknownfalse
                    		high
                    energyaffai.lat
                    		unknown
                    		unknownfalse
                      		high
                      necklacebudi.lat
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        necklacebudi.latfalse
                          		high
                          aspecteirs.latfalse
                            		high
                            sustainskelet.latfalse
                              		high
                              crosshuaht.latfalse
                                		high
                                rapeflowwj.latfalse
                                  		high
                                  bellflamre.clickfalse
                                    		high
                                    https://steamcommunity.com/profiles/76561199724331900false
                                      		high
                                      energyaffai.latfalse
                                        		high
                                        grannyejh.latfalse
                                          		high
                                          discokeyus.latfalse
                                            		high

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            https://steamcommunity.com/my/wishlist/Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://player.vimeo.comNeverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://steamcommunity.com/?subsection=broadcastsNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://help.steampowered.com/en/Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://steamcommunity.com/market/Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://store.steampowered.com/news/Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://store.steampowered.com/subscriber_agreement/Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.gstatic.cn/recaptcha/Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://store.steampowered.com/subscriber_agreement/Neverlose.cc-unpadded.exe, 00000002.00000002.1708876176.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708419298.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgNeverlose.cc-unpadded.exe, 00000002.00000002.1708876176.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708419298.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://recaptcha.net/recaptcha/;Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.valvesoftware.com/legal.htmNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=enNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://steamcommunity.com/discussions/Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.youtube.comNeverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.google.comNeverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://store.steampowered.com/stats/Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://medal.tvNeverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://broadcast.st.dl.eccdnx.comNeverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&aNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://store.steampowered.com/steam_refunds/Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://store.steampowered.com/points/shopPNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackNeverlose.cc-unpadded.exe, 00000002.00000003.1708336299.0000000000D74000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&aNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=englNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://s.ytimg.com;Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRiNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://steamcommunity.com/workshop/Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://login.steampowered.com/Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbbNeverlose.cc-unpadded.exe, 00000002.00000003.1708285777.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708392846.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_cNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1Neverlose.cc-unpadded.exe, 00000002.00000002.1708876176.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708419298.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://store.steampowered.com/legal/Neverlose.cc-unpadded.exe, 00000002.00000002.1708876176.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708419298.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://community.fastly.steamstatic.com/Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engliNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://steam.tv/Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=enNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=engNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://store.steampowered.com/privacy_agreement/Neverlose.cc-unpadded.exe, 00000002.00000002.1708876176.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708419298.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://store.steampowered.com/points/shop/Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://recaptcha.netNeverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://upx.sf.netAmcache.hve.5.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://store.steampowered.com/Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://steamcommunity.comNeverlose.cc-unpadded.exe, 00000002.00000002.1708876176.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708419298.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://sketchfab.comNeverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://lv.queniujq.cnNeverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.pngNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://www.youtube.com/Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://127.0.0.1:27060Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://store.steampowered.com/privacy_agreement/Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&amNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://www.google.com/recaptcha/Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://checkout.steampowered.com/Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&ampNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://help.steampowered.com/Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://api.steampowered.com/Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://store.steampowered.com/account/cookiepreferences/Neverlose.cc-unpadded.exe, 00000002.00000002.1708876176.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708419298.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://store.steampowered.com/mobileNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://steamcommunity.com/Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000002.1708759264.0000000000D4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://store.steampowered.com/;Neverlose.cc-unpadded.exe, 00000002.00000003.1708285777.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708392846.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000002.1708937743.0000000000D88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://store.steampowered.com/about/Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&lNeverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708249815.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, Neverlose.cc-unpadded.exe, 00000002.00000003.1708318653.0000000000DC1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high

                                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                                                Public IPs

                                                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                23.55.153.106
                                                                                                                                                                                                		steamcommunity.comUnited States
                                                                                                                                                                                                		20940AKAMAI-ASN1EUfalse

                                                                                                                                                                                                General Information

                                                                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                Analysis ID:1581521
                                                                                                                                                                                                Start date and time:2024-12-28 00:21:03 +01:00
                                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                                Overall analysis duration:0h 4m 55s
                                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                                Report type:full
                                                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                Number of analysed new started processes analysed:10
                                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                                                Technologies:
                                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                                                Sample name:Neverlose.cc-unpadded.exe
                                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                                Classification:mal100.troj.evad.winEXE@5/5@10/1
                                                                                                                                                                                                EGA Information:
                                                                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                                                                HCA Information:
                                                                                                                                                                                                • Successful, ratio: 99%
                                                                                                                                                                                                • Number of executed functions: 25
                                                                                                                                                                                                • Number of non-executed functions: 151
                                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                                • Found application associated with file extension: .exe

                                                                                                                                                                                                Warnings

                                                                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                • Excluded IPs from analysis (whitelisted): 20.189.173.20, 20.190.147.5, 172.202.163.200, 13.107.246.63
                                                                                                                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                • VT rate limit hit for: Neverlose.cc-unpadded.exe

                                                                                                                                                                                                Simulations

                                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                                18:21:53API Interceptor6x Sleep call for process: Neverlose.cc-unpadded.exe modified
                                                                                                                                                                                                18:22:19API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                                IPs

                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                23.55.153.106Aura.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  Aura.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    Installer.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                      Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        w22319us3M.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                                                                                          T4qO1i2Jav.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            FXdg37pY22.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                              FXdg37pY22.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                k0ukcEH.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  5uVReRlvME.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, StealcBrowse

                                                                                                                                                                                                                    Domains

                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                    steamcommunity.comAura.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    Aura.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    Installer.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    Installer.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 104.121.10.34
                                                                                                                                                                                                                    SoftWare(1).exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 104.102.49.254
                                                                                                                                                                                                                    ForcesLangi.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 92.122.104.90
                                                                                                                                                                                                                    Leside-.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 92.122.104.90
                                                                                                                                                                                                                    Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 104.121.10.34
                                                                                                                                                                                                                    Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    Vq50tK1Nx2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 104.121.10.34

                                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                    AKAMAI-ASN1EUAura.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    Aura.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    Installer.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    w22319us3M.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    T4qO1i2Jav.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    FXdg37pY22.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    FXdg37pY22.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    grand-theft-auto-5-theme-1-installer_qb8W-j1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 184.85.182.130
                                                                                                                                                                                                                    k0ukcEH.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 23.55.153.106

                                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                    a0e9f5d64349fb13191bc781f81f42e1External2.4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    Aura.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    Aura.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    New Upd v1.1.0.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    WonderHack.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    Installer.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    Installer.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    SoftWare(1).exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 23.55.153.106
                                                                                                                                                                                                                    NewSetup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                    • 23.55.153.106

                                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Neverlose.cc-unp_b5b85bae084e1b38cb1cbbfdb4f6b7edb16085_0113eb6b_f6954b3b-35bb-45c8-a8fa-9716707600d4\Report.wer

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):65536
                                                                                                                                                                                                                    Entropy (8bit):0.7281181480307202
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:96:pVFvCk0Hsish1yDfUQXIDcQvc6QcEVcw3cE/3+HbHg/8BRTf3o8Fa9OyWZAX/d5Q:bd8HL0BU/Qj/qzuiFbZ24IO8Hqc
                                                                                                                                                                                                                    MD5:709F004786042B38CF90F580B4F234BD
                                                                                                                                                                                                                    SHA1:8E0506CDC982FE5AC9B46B6CD34E669E426026C0
                                                                                                                                                                                                                    SHA-256:1FDB38F12EF4E5D66A24723C046C0EB14FC9FB5FEC199CDE200784128482354D
                                                                                                                                                                                                                    SHA-512:202AD96BE9E026AE5A5D7D47F98F3519222BC77C02726F1F6DF7D0268EC27EB74828B58F81A439B503A496C1885279DCB5F4C57B69456CDEE0AFCF4C79B76AD4
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.8.1.5.3.1.3.1.6.3.8.0.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.8.1.5.3.1.3.4.4.5.0.4.4.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.9.5.4.b.3.b.-.3.5.b.b.-.4.5.c.8.-.a.8.f.a.-.9.7.1.6.7.0.7.6.0.0.d.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.2.f.6.7.3.c.-.b.2.4.4.-.4.7.1.a.-.b.8.e.9.-.7.2.b.e.0.0.e.2.b.f.3.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.N.e.v.e.r.l.o.s.e...c.c.-.u.n.p.a.d.d.e.d...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.p.c.P.i.n.g...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.7.8.-.0.0.0.1.-.0.0.1.4.-.b.4.0.7.-.5.e.1.c.b.6.5.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.8.f.e.4.d.d.b.1.2.e.2.2.3.9.6.d.b.2.4.b.9.7.7.f.f.e.c.1.5.d.5.0.0.0.0.0.9.0.4.!.0.0.0.0.6.e.7.0.2.c.c.5.6.2.3.2.1.3.4.3.e.0.5.2.8.a.7.f.7.

                                                                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER1671.tmp.dmp

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                    File Type:Mini DuMP crash report, 14 streams, Fri Dec 27 23:21:53 2024, 0x1205a4 type
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):43222
                                                                                                                                                                                                                    Entropy (8bit):1.678738301106338
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:96:5+8D2+S+z6lbyYXrcF+kYxuoWi7yh1eJcplRbE701JHnT4oP06kWIkWIsp7IXIyj:3D2OOwkLWOqpnYY1OoP064uIyBlP
                                                                                                                                                                                                                    MD5:85074573DB5F5ED4EDBD20265D7DF299
                                                                                                                                                                                                                    SHA1:600EFBF418DF82B6D3C7BE14E5AF1AAFF526B47D
                                                                                                                                                                                                                    SHA-256:DD95F9A7D869469E6D602957E117876D70AE6C98E8E07D4B958CE98BB42444F3
                                                                                                                                                                                                                    SHA-512:289E03963A67D1133C234FC89E646804950E642DAA4B636B3108F7065DBB7746BD0FD79DC2F4478199153CB9F94B0579CAF198C36312AA4455343EB49B6A08FB
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                    Preview:MDMP..a..... ........6og........................0...........T...|!..........T.......8...........T...........h...n.......................................................................................................eJ..............GenuineIntel............T.......x....6og.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER16D0.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):8356
                                                                                                                                                                                                                    Entropy (8bit):3.6943076113576945
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:192:R6l7wVeJvw6KZ6Y9hSU9hgmfGuJv4prp89b0rsf98m:R6lXJI606Y7SU9hgmfGuJvL0wfT
                                                                                                                                                                                                                    MD5:942C076FFF1BC1B577C12D31FC102A10
                                                                                                                                                                                                                    SHA1:894E11E87AA926C072CF8DDB9402B2BDABCC3F1D
                                                                                                                                                                                                                    SHA-256:B0695164CCF5163EE1FFAF073FABE11E8CCFD194EFE8D5942E8D54C813193FBD
                                                                                                                                                                                                                    SHA-512:88C04C297EC1BD9193B6F56E03237BC0FC4675BE2C6B765B4978BC91C3AD44886C479E26CDCE46D2C1A61FAD8EB8172ACA17D4D49B58FF1DA6E06BA96DB7F718
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.2.0.<./.P.i.

                                                                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER16F0.tmp.xml

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):4716
                                                                                                                                                                                                                    Entropy (8bit):4.47136369700903
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:48:cvIwWl8zsqJg77aI9WJWpW8VYRYm8M4JBEmuF/+q89ErHD5ZKhbI8d:uIjf4I7c47VdJIF5ZKhs8d
                                                                                                                                                                                                                    MD5:3F1AC82E8C9525AAB27ACFD38A68D137
                                                                                                                                                                                                                    SHA1:760B6835E8C3C65B55B9592B5D3B531C22EC05FC
                                                                                                                                                                                                                    SHA-256:A6567168E155C5F81FDC7D0295C5C33C39936DB45D44E28668BBC82FEBC5722B
                                                                                                                                                                                                                    SHA-512:C35F2D199FA9A32D6D3455648ABC48BDDC7B3BBDA42A0E1152C2BBBCA3886CBCBE5670901AC646468991E3A6EC570717724EC0C50C172A8636D176623FE771C0
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="650304" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1835008
                                                                                                                                                                                                                    Entropy (8bit):4.466151394542021
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:6144:vIXfpi67eLPU9skLmb0b46WSPKaJG8nAgejZMMhA2gX4WABl0uN9dwBCswSb/:AXD946WlLZMM6YFH7+/
                                                                                                                                                                                                                    MD5:4FAE10EEB280A007E5426E249F1339AE
                                                                                                                                                                                                                    SHA1:D0457C92737C8740C2E325B984E7130C9FB3F63E
                                                                                                                                                                                                                    SHA-256:221ED29C7F9B5DB57CAE736FD53A632B12CFB5A742038E5635A29A08109909DD
                                                                                                                                                                                                                    SHA-512:0EDD846EC6A1A74D76240EC12AC36FFD0BAA3F9EDBAF0875A31BDE58342A27A44821610783EA2F745243E5534AC2E2A33B9C5C4A3734292DED511128C2D1C380
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                    Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....X...............................................................................................................................................................................................................................................................................................................................................A.(........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                    Entropy (8bit):7.534071183983943
                                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                    File name:Neverlose.cc-unpadded.exe
                                                                                                                                                                                                                    File size:549'889 bytes
                                                                                                                                                                                                                    MD5:f597948f04be76e6acbd59ed828276aa
                                                                                                                                                                                                                    SHA1:6e702cc562321343e0528a7f78e19cc40c46e6af
                                                                                                                                                                                                                    SHA256:7a0e67b82fbc363758a2b4b61cd6042aab6a88ae9dc955e40c84cc56bf69d692
                                                                                                                                                                                                                    SHA512:d3d150fd1afe6c703c681befb9ad3aa6264254b4b71a7b6b5ffdc42ab10156b5e8818c7ac536a0bc5f4b57cf29432bbad8a3d8a5c8b938836cc2c23aea909504
                                                                                                                                                                                                                    SSDEEP:12288:23sPnKB1HitY7GwKKNLio3vp1wz+psXxilQmqNXey/x:28PnKrittwK+LB3vpSKislQmqNX7
                                                                                                                                                                                                                    TLSH:BCC4C00171518072DDB725B758BADB5E4A3EE9200B627ACFA3480CBDEF355C1A631B27
                                                                                                                                                                                                                    File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....fg.........."..................K............@.......................................@.................................\...P..

                                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                                    Icon Hash:90cececece8e8eb0

                                                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Entrypoint:0x414bbb
                                                                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                                    Subsystem:windows cui
                                                                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                    Time Stamp:0x6766D9DE [Sat Dec 21 15:08:14 2024 UTC]
                                                                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                                                    OS Version Major:6
                                                                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                                                                    File Version Major:6
                                                                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                                                                    Subsystem Version Major:6
                                                                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                                                                    Import Hash:0e4c328663ae5868d07c0edb57d0348d

                                                                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                                                                    Instruction
                                                                                                                                                                                                                    call 00007FC788C9580Ah
                                                                                                                                                                                                                    jmp 00007FC788C95679h
                                                                                                                                                                                                                    mov ecx, dword ptr [0043D6C0h]
                                                                                                                                                                                                                    push esi
                                                                                                                                                                                                                    push edi
                                                                                                                                                                                                                    mov edi, BB40E64Eh
                                                                                                                                                                                                                    mov esi, FFFF0000h
                                                                                                                                                                                                                    cmp ecx, edi
                                                                                                                                                                                                                    je 00007FC788C95806h
                                                                                                                                                                                                                    test esi, ecx
                                                                                                                                                                                                                    jne 00007FC788C95828h
                                                                                                                                                                                                                    call 00007FC788C95831h
                                                                                                                                                                                                                    mov ecx, eax
                                                                                                                                                                                                                    cmp ecx, edi
                                                                                                                                                                                                                    jne 00007FC788C95809h
                                                                                                                                                                                                                    mov ecx, BB40E64Fh
                                                                                                                                                                                                                    jmp 00007FC788C95810h
                                                                                                                                                                                                                    test esi, ecx
                                                                                                                                                                                                                    jne 00007FC788C9580Ch
                                                                                                                                                                                                                    or eax, 00004711h
                                                                                                                                                                                                                    shl eax, 10h
                                                                                                                                                                                                                    or ecx, eax
                                                                                                                                                                                                                    mov dword ptr [0043D6C0h], ecx
                                                                                                                                                                                                                    not ecx
                                                                                                                                                                                                                    pop edi
                                                                                                                                                                                                                    mov dword ptr [0043D700h], ecx
                                                                                                                                                                                                                    pop esi
                                                                                                                                                                                                                    ret
                                                                                                                                                                                                                    push ebp
                                                                                                                                                                                                                    mov ebp, esp
                                                                                                                                                                                                                    sub esp, 14h
                                                                                                                                                                                                                    lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                    xorps xmm0, xmm0
                                                                                                                                                                                                                    push eax
                                                                                                                                                                                                                    movlpd qword ptr [ebp-0Ch], xmm0
                                                                                                                                                                                                                    call dword ptr [0043A5D8h]
                                                                                                                                                                                                                    mov eax, dword ptr [ebp-08h]
                                                                                                                                                                                                                    xor eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                    mov dword ptr [ebp-04h], eax
                                                                                                                                                                                                                    call dword ptr [0043A590h]
                                                                                                                                                                                                                    xor dword ptr [ebp-04h], eax
                                                                                                                                                                                                                    call dword ptr [0043A58Ch]
                                                                                                                                                                                                                    xor dword ptr [ebp-04h], eax
                                                                                                                                                                                                                    lea eax, dword ptr [ebp-14h]
                                                                                                                                                                                                                    push eax
                                                                                                                                                                                                                    call dword ptr [0043A628h]
                                                                                                                                                                                                                    mov eax, dword ptr [ebp-10h]
                                                                                                                                                                                                                    lea ecx, dword ptr [ebp-04h]
                                                                                                                                                                                                                    xor eax, dword ptr [ebp-14h]
                                                                                                                                                                                                                    xor eax, dword ptr [ebp-04h]
                                                                                                                                                                                                                    xor eax, ecx
                                                                                                                                                                                                                    leave
                                                                                                                                                                                                                    ret
                                                                                                                                                                                                                    mov eax, 00004000h
                                                                                                                                                                                                                    ret
                                                                                                                                                                                                                    push 0043EC38h
                                                                                                                                                                                                                    call dword ptr [0043A600h]
                                                                                                                                                                                                                    ret
                                                                                                                                                                                                                    push 00030000h
                                                                                                                                                                                                                    push 00010000h
                                                                                                                                                                                                                    push 00000000h
                                                                                                                                                                                                                    call 00007FC788C9CE38h
                                                                                                                                                                                                                    add esp, 0Ch

                                                                                                                                                                                                                    Data Directories

                                                                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x3a35c0x50.rdata
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x8c0000x3e8.rsrc
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x410000x2114.reloc
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x367e80x18.rdata
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x32b780xc0.rdata
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x3a5240x178.rdata
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                    Sections

                                                                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                    .text0x10000x2f54f0x2f60058bc155b094b6873a22cc988795a8d23False0.5124196075197889data6.453078444758717IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                    .rdata0x310000xa9ec0xaa00ee0908da15a0e5d81cca81415109d13bFalse0.4196920955882353data4.875338264838317IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                    .data0x3c0000x34000x240081d422e119a7deac089cc0743b9210daFalse0.3245442708333333data5.214421128212959IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                    .tls0x400000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                    .reloc0x410000x21140x2200fb9df7b78b2799ee418116907747d382False0.7449448529411765data6.477521124661293IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                    .bss0x440000x472000x47200e130f201e46a3d1d06d923deadc4301dFalse1.000329525483304data7.999367293745348IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                    .rsrc0x8c0000x3e80x40093d6519c97ffd7db4a07ab1d2e3304e8False0.43359375data3.2859175893892143IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                    Resources

                                                                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                    RT_VERSION0x8c0580x390dataEnglishUnited States0.4517543859649123

                                                                                                                                                                                                                    Imports

                                                                                                                                                                                                                    DLLImport
                                                                                                                                                                                                                    KERNEL32.dllAcquireSRWLockExclusive, CloseHandle, CloseThreadpoolWork, CompareStringW, CreateFileW, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, SubmitThreadpoolWork, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile
                                                                                                                                                                                                                    USER32.dllDefWindowProcW
                                                                                                                                                                                                                    ADVAPI32.dllEqualPrefixSid

                                                                                                                                                                                                                    Possible Origin

                                                                                                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                    EnglishUnited States

                                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                                    Suricata IDS Alerts

                                                                                                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                    2024-12-28T00:21:53.866404+01002058212ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellflamre .click)1192.168.2.4614701.1.1.153UDP
                                                                                                                                                                                                                    2024-12-28T00:21:54.088544+01002058364ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)1192.168.2.4653801.1.1.153UDP
                                                                                                                                                                                                                    2024-12-28T00:21:54.558129+01002058360ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)1192.168.2.4627161.1.1.153UDP
                                                                                                                                                                                                                    2024-12-28T00:21:54.963519+01002058370ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat)1192.168.2.4613281.1.1.153UDP
                                                                                                                                                                                                                    2024-12-28T00:21:55.294655+01002058362ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat)1192.168.2.4636711.1.1.153UDP
                                                                                                                                                                                                                    2024-12-28T00:21:55.692362+01002058354ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat)1192.168.2.4553161.1.1.153UDP
                                                                                                                                                                                                                    2024-12-28T00:21:56.084736+01002058376ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat)1192.168.2.4600321.1.1.153UDP
                                                                                                                                                                                                                    2024-12-28T00:21:56.317544+01002058358ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat)1192.168.2.4648131.1.1.153UDP
                                                                                                                                                                                                                    2024-12-28T00:21:56.631327+01002058374ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat)1192.168.2.4601841.1.1.153UDP
                                                                                                                                                                                                                    2024-12-28T00:21:58.492101+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44973223.55.153.106443TCP
                                                                                                                                                                                                                    2024-12-28T00:21:59.484316+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.44973223.55.153.106443TCP

                                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                    Dec 28, 2024 00:21:57.009582996 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                    Dec 28, 2024 00:21:57.009613037 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:57.009932995 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                    Dec 28, 2024 00:21:57.013087988 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                    Dec 28, 2024 00:21:57.013102055 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:58.491996050 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:58.492100954 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                    Dec 28, 2024 00:21:58.517113924 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                    Dec 28, 2024 00:21:58.517137051 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:58.517483950 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:58.560528040 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                    Dec 28, 2024 00:21:58.626135111 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                    Dec 28, 2024 00:21:58.667336941 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:59.484360933 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:59.484381914 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:59.484406948 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:59.484419107 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:59.484427929 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                    Dec 28, 2024 00:21:59.484435081 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:59.484445095 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:59.484468937 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                    Dec 28, 2024 00:21:59.484499931 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                    Dec 28, 2024 00:21:59.615703106 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:59.615741014 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:59.615751982 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:59.615812063 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:59.615818977 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                    Dec 28, 2024 00:21:59.615989923 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                    Dec 28, 2024 00:21:59.617599010 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                    Dec 28, 2024 00:21:59.617609978 CET4434973223.55.153.106192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:59.617619991 CET49732443192.168.2.423.55.153.106
                                                                                                                                                                                                                    Dec 28, 2024 00:21:59.617624044 CET4434973223.55.153.106192.168.2.4

                                                                                                                                                                                                                    UDP Packets

                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                    Dec 28, 2024 00:21:53.866404057 CET6147053192.168.2.41.1.1.1
                                                                                                                                                                                                                    Dec 28, 2024 00:21:54.081738949 CET53614701.1.1.1192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:54.088543892 CET6538053192.168.2.41.1.1.1
                                                                                                                                                                                                                    Dec 28, 2024 00:21:54.556361914 CET53653801.1.1.1192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:54.558129072 CET6271653192.168.2.41.1.1.1
                                                                                                                                                                                                                    Dec 28, 2024 00:21:54.961023092 CET53627161.1.1.1192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:54.963519096 CET6132853192.168.2.41.1.1.1
                                                                                                                                                                                                                    Dec 28, 2024 00:21:55.272100925 CET53613281.1.1.1192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:55.294655085 CET6367153192.168.2.41.1.1.1
                                                                                                                                                                                                                    Dec 28, 2024 00:21:55.689858913 CET53636711.1.1.1192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:55.692362070 CET5531653192.168.2.41.1.1.1
                                                                                                                                                                                                                    Dec 28, 2024 00:21:56.083010912 CET53553161.1.1.1192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:56.084736109 CET6003253192.168.2.41.1.1.1
                                                                                                                                                                                                                    Dec 28, 2024 00:21:56.314639091 CET53600321.1.1.1192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:56.317543983 CET6481353192.168.2.41.1.1.1
                                                                                                                                                                                                                    Dec 28, 2024 00:21:56.628134012 CET53648131.1.1.1192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:56.631326914 CET6018453192.168.2.41.1.1.1
                                                                                                                                                                                                                    Dec 28, 2024 00:21:56.863379955 CET53601841.1.1.1192.168.2.4
                                                                                                                                                                                                                    Dec 28, 2024 00:21:56.865024090 CET5189853192.168.2.41.1.1.1
                                                                                                                                                                                                                    Dec 28, 2024 00:21:57.004909039 CET53518981.1.1.1192.168.2.4

                                                                                                                                                                                                                    DNS Queries

                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                    Dec 28, 2024 00:21:53.866404057 CET192.168.2.41.1.1.10x96adStandard query (0)bellflamre.clickA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Dec 28, 2024 00:21:54.088543892 CET192.168.2.41.1.1.10x95d7Standard query (0)grannyejh.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Dec 28, 2024 00:21:54.558129072 CET192.168.2.41.1.1.10xccdcStandard query (0)discokeyus.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Dec 28, 2024 00:21:54.963519096 CET192.168.2.41.1.1.10xb68cStandard query (0)necklacebudi.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Dec 28, 2024 00:21:55.294655085 CET192.168.2.41.1.1.10x9ffcStandard query (0)energyaffai.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Dec 28, 2024 00:21:55.692362070 CET192.168.2.41.1.1.10x80ebStandard query (0)aspecteirs.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Dec 28, 2024 00:21:56.084736109 CET192.168.2.41.1.1.10x256Standard query (0)sustainskelet.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Dec 28, 2024 00:21:56.317543983 CET192.168.2.41.1.1.10x5eb2Standard query (0)crosshuaht.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Dec 28, 2024 00:21:56.631326914 CET192.168.2.41.1.1.10x5a2eStandard query (0)rapeflowwj.latA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Dec 28, 2024 00:21:56.865024090 CET192.168.2.41.1.1.10x4c33Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                    DNS Answers

                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                    Dec 28, 2024 00:21:54.081738949 CET1.1.1.1192.168.2.40x96adName error (3)bellflamre.clicknonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Dec 28, 2024 00:21:54.556361914 CET1.1.1.1192.168.2.40x95d7Name error (3)grannyejh.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Dec 28, 2024 00:21:54.961023092 CET1.1.1.1192.168.2.40xccdcName error (3)discokeyus.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Dec 28, 2024 00:21:55.272100925 CET1.1.1.1192.168.2.40xb68cName error (3)necklacebudi.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Dec 28, 2024 00:21:55.689858913 CET1.1.1.1192.168.2.40x9ffcName error (3)energyaffai.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Dec 28, 2024 00:21:56.083010912 CET1.1.1.1192.168.2.40x80ebName error (3)aspecteirs.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Dec 28, 2024 00:21:56.314639091 CET1.1.1.1192.168.2.40x256Name error (3)sustainskelet.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Dec 28, 2024 00:21:56.628134012 CET1.1.1.1192.168.2.40x5eb2Name error (3)crosshuaht.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Dec 28, 2024 00:21:56.863379955 CET1.1.1.1192.168.2.40x5a2eName error (3)rapeflowwj.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Dec 28, 2024 00:21:57.004909039 CET1.1.1.1192.168.2.40x4c33No error (0)steamcommunity.com23.55.153.106A (IP address)IN (0x0001)false

                                                                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                                                                    • steamcommunity.com

                                                                                                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    0192.168.2.44973223.55.153.1064434144C:\Users\user\Desktop\Neverlose.cc-unpadded.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    2024-12-27 23:21:58 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                    Host: steamcommunity.com
                                                                                                                                                                                                                    2024-12-27 23:21:59 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                    Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                                    Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                                                    Date: Fri, 27 Dec 2024 23:21:59 GMT
                                                                                                                                                                                                                    Content-Length: 25665
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    Set-Cookie: sessionid=0c1e0a6bc3b5000ab161dc80; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                    Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                    2024-12-27 23:21:59 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                    Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                    2024-12-27 23:21:59 UTC10097INData Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
                                                                                                                                                                                                                    Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>
                                                                                                                                                                                                                    2024-12-27 23:21:59 UTC1089INData Raw: 68 65 69 72 20 72 65 73 70 65 63 74 69 76 65 20 6f 77 6e 65 72 73 20 69 6e 20 74 68 65 20 55 53 20 61 6e 64 20 6f 74 68 65 72 20 63 6f 75 6e 74 72 69 65 73 2e 3c 62 72 2f 3e 53 6f 6d 65 20 67 65 6f 73 70 61 74 69 61 6c 20 64 61 74 61 20 6f 6e 20 74 68 69 73 20 77 65 62 73 69 74 65 20 69 73 20 70 72 6f 76 69 64 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 6c 69 6e 6b 66 69 6c 74 65 72 2f 3f 75 3d 68 74 74 70 25 33 41 25 32 46 25 32 46 77 77 77 2e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 20 6e 6f 6f 70 65 6e 65 72 22 3e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 3c 2f 61 3e 2e 09 09 09 09 09 3c 62 72 3e 0a 09 09 09 09 09
                                                                                                                                                                                                                    Data Ascii: heir respective owners in the US and other countries.<br/>Some geospatial data on this website is provided by <a href="https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org" target="_blank" rel=" noopener">geonames.org</a>.<br>


                                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                                    CPU Usage

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    Memory Usage

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                                                                    Behavior

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:0
                                                                                                                                                                                                                    Start time:18:21:52
                                                                                                                                                                                                                    Start date:27/12/2024
                                                                                                                                                                                                                    Path:C:\Users\user\Desktop\Neverlose.cc-unpadded.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\Neverlose.cc-unpadded.exe"
                                                                                                                                                                                                                    Imagebase:0x280000
                                                                                                                                                                                                                    File size:549'889 bytes
                                                                                                                                                                                                                    MD5 hash:F597948F04BE76E6ACBD59ED828276AA
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:1
                                                                                                                                                                                                                    Start time:18:21:52
                                                                                                                                                                                                                    Start date:27/12/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:2
                                                                                                                                                                                                                    Start time:18:21:52
                                                                                                                                                                                                                    Start date:27/12/2024
                                                                                                                                                                                                                    Path:C:\Users\user\Desktop\Neverlose.cc-unpadded.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\Neverlose.cc-unpadded.exe"
                                                                                                                                                                                                                    Imagebase:0x280000
                                                                                                                                                                                                                    File size:549'889 bytes
                                                                                                                                                                                                                    MD5 hash:F597948F04BE76E6ACBD59ED828276AA
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:5
                                                                                                                                                                                                                    Start time:18:21:53
                                                                                                                                                                                                                    Start date:27/12/2024
                                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 316
                                                                                                                                                                                                                    Imagebase:0x770000
                                                                                                                                                                                                                    File size:483'680 bytes
                                                                                                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                                    Reset < >

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:8.9%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:2.3%
                                                                                                                                                                                                                      Signature Coverage:4.3%
                                                                                                                                                                                                                      Total number of Nodes:346
                                                                                                                                                                                                                      Total number of Limit Nodes:10
                                                                                                                                                                                                                      execution_graph 20864 292b29 47 API calls 2 library calls 20785 29182a 16 API calls 2 library calls 20865 297b2c GetCommandLineA GetCommandLineW 20866 2a5d2c 41 API calls 3 library calls 20789 295223 54 API calls 2 library calls 20790 294a27 30 API calls 20396 294a39 20397 294a45 ___scrt_is_nonwritable_in_current_image 20396->20397 20422 2913e2 20397->20422 20399 294a4c 20400 294ba5 20399->20400 20410 294a76 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 20399->20410 20449 294073 4 API calls 2 library calls 20400->20449 20402 294bac 20450 29a4bd 21 API calls CallUnexpected 20402->20450 20404 294bb2 20451 29a4d3 21 API calls CallUnexpected 20404->20451 20406 294bba 20407 294a95 20408 294b16 20433 29ca3c 20408->20433 20410->20407 20410->20408 20445 29a507 39 API calls 4 library calls 20410->20445 20412 294b1c 20437 281c00 20412->20437 20416 294b3d 20416->20402 20417 294b41 20416->20417 20418 294b4a 20417->20418 20447 29a4e9 21 API calls CallUnexpected 20417->20447 20448 29141b 75 API calls ___scrt_uninitialize_crt 20418->20448 20421 294b53 20421->20407 20423 2913eb 20422->20423 20452 293cdf IsProcessorFeaturePresent 20423->20452 20425 2913f7 20453 2953c5 10 API calls 2 library calls 20425->20453 20427 291400 20427->20399 20428 2913fc 20428->20427 20454 2978ff 20428->20454 20431 291417 20431->20399 20434 29ca4a 20433->20434 20435 29ca45 20433->20435 20434->20412 20467 29cb65 20435->20467 20531 282620 20437->20531 20442 281c63 20539 2911f9 20442->20539 20444 281c73 20446 294020 GetModuleHandleW 20444->20446 20445->20408 20446->20416 20447->20418 20448->20421 20449->20402 20450->20404 20451->20406 20452->20425 20453->20428 20458 2a27a5 20454->20458 20457 2953e4 7 API calls 2 library calls 20457->20427 20459 2a27b5 20458->20459 20460 291409 20458->20460 20459->20460 20462 2a1f19 20459->20462 20460->20431 20460->20457 20463 2a1f20 20462->20463 20464 2a1f63 GetStdHandle 20463->20464 20465 2a1fc5 20463->20465 20466 2a1f76 GetFileType 20463->20466 20464->20463 20465->20459 20466->20463 20468 29cb6e 20467->20468 20471 29cb84 20467->20471 20468->20471 20473 29caa6 20468->20473 20470 29cb7b 20470->20471 20490 29cc73 46 API calls 3 library calls 20470->20490 20471->20434 20474 29caaf 20473->20474 20475 29cab2 20473->20475 20474->20470 20491 2a1fdc 20475->20491 20480 29cacf 20524 29cb91 29 API calls 3 library calls 20480->20524 20481 29cac3 20518 2a0487 20481->20518 20485 29cad6 20486 2a0487 ___free_lconv_mon 14 API calls 20485->20486 20487 29caf3 20486->20487 20488 2a0487 ___free_lconv_mon 14 API calls 20487->20488 20489 29caf9 20488->20489 20489->20470 20490->20471 20492 2a1fe5 20491->20492 20496 29cab8 20491->20496 20525 2a07ce 39 API calls 3 library calls 20492->20525 20494 2a2008 20526 2a239d 49 API calls 3 library calls 20494->20526 20497 2a7588 GetEnvironmentStringsW 20496->20497 20498 2a75a0 20497->20498 20499 29cabd 20497->20499 20527 2a05d1 WideCharToMultiByte std::_Locinfo::_Locinfo_dtor 20498->20527 20499->20480 20499->20481 20501 2a75bd 20502 2a75d2 20501->20502 20503 2a75c7 FreeEnvironmentStringsW 20501->20503 20528 2a04c1 15 API calls 3 library calls 20502->20528 20503->20499 20505 2a75d9 20506 2a75f2 20505->20506 20507 2a75e1 20505->20507 20529 2a05d1 WideCharToMultiByte std::_Locinfo::_Locinfo_dtor 20506->20529 20508 2a0487 ___free_lconv_mon 14 API calls 20507->20508 20510 2a75e6 FreeEnvironmentStringsW 20508->20510 20510->20499 20511 2a7602 20512 2a7609 20511->20512 20513 2a7611 20511->20513 20514 2a0487 ___free_lconv_mon 14 API calls 20512->20514 20515 2a0487 ___free_lconv_mon 14 API calls 20513->20515 20516 2a760f FreeEnvironmentStringsW 20514->20516 20515->20516 20516->20499 20519 2a0492 RtlFreeHeap 20518->20519 20523 29cac9 20518->20523 20520 2a04a7 GetLastError 20519->20520 20519->20523 20521 2a04b4 __dosmaperr 20520->20521 20530 29c664 14 API calls __dosmaperr 20521->20530 20523->20470 20524->20485 20525->20494 20526->20496 20527->20501 20528->20505 20529->20511 20530->20523 20532 28264c 20531->20532 20546 28a1f0 20532->20546 20535 282670 20537 282684 20535->20537 20536 281c3a EqualPrefixSid 20536->20442 20537->20536 20614 28b2c0 40 API calls Concurrency::cancel_current_task 20537->20614 20540 291201 20539->20540 20541 291202 IsProcessorFeaturePresent 20539->20541 20540->20444 20543 293bd1 20541->20543 20615 293cb7 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 20543->20615 20545 293cb4 20545->20444 20555 28a330 20546->20555 20550 28a232 20571 28a3c0 20550->20571 20552 28a248 20553 2911f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 20552->20553 20554 281c32 20553->20554 20554->20535 20577 290eb0 20555->20577 20558 2911f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 20559 28a21d 20558->20559 20560 28a2a0 20559->20560 20561 28a2fb 20560->20561 20562 28a2bb 20560->20562 20563 291185 codecvt 16 API calls 20561->20563 20562->20561 20564 28a2cc 20562->20564 20565 28a30c 20563->20565 20586 291185 20564->20586 20599 28a490 135 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 20565->20599 20568 28a2ed 20568->20550 20572 28a3d4 20571->20572 20575 28a3e8 20572->20575 20612 28b2c0 40 API calls Concurrency::cancel_current_task 20572->20612 20574 28a401 20574->20552 20575->20574 20613 28b2c0 40 API calls Concurrency::cancel_current_task 20575->20613 20582 290f00 20577->20582 20580 2911f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 20581 28a35d 20580->20581 20581->20558 20583 290f29 20582->20583 20584 2911f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 20583->20584 20585 290ee0 20584->20585 20585->20580 20590 29118a 20586->20590 20588 28a2dd 20598 28a450 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 20588->20598 20590->20588 20591 2911a6 20590->20591 20600 29e3ac 20590->20600 20607 29a7ef EnterCriticalSection LeaveCriticalSection codecvt 20590->20607 20592 293ac2 codecvt 20591->20592 20594 2911b0 Concurrency::cancel_current_task 20591->20594 20609 294d23 RaiseException 20592->20609 20608 294d23 RaiseException 20594->20608 20595 293ade 20597 291ccf 20598->20568 20599->20568 20605 2a04c1 __Getctype 20600->20605 20601 2a04ff 20611 29c664 14 API calls __dosmaperr 20601->20611 20603 2a04ea RtlAllocateHeap 20604 2a04fd 20603->20604 20603->20605 20604->20590 20605->20601 20605->20603 20610 29a7ef EnterCriticalSection LeaveCriticalSection codecvt 20605->20610 20607->20590 20608->20597 20609->20595 20610->20605 20611->20604 20615->20545 20871 29113a 78 API calls std::_Throw_Cpp_error 20791 29323e 72 API calls error_info_injector 20794 2a1e37 15 API calls 20795 297a0c 15 API calls 2 library calls 20796 2a5c0c 42 API calls 3 library calls 20799 28a800 50 API calls 20875 28cf00 62 API calls 20876 291100 48 API calls 2 library calls 20803 2ae81f 20 API calls 20879 285510 95 API calls 3 library calls 20880 28ad10 39 API calls 20881 29d915 36 API calls 2 library calls 20809 29306b 68 API calls 20811 283260 30 API calls 20812 286860 49 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 20813 28be60 62 API calls 20814 2a5463 11 API calls __Getctype 20889 2a237c LeaveCriticalSection std::_Lockit::~_Lockit 20893 294974 60 API calls 2 library calls 20894 294b74 21 API calls CallUnexpected 20818 2ae448 43 API calls 2 library calls 20897 292f4f 70 API calls 20822 295440 40 API calls 5 library calls 20898 291942 9 API calls 3 library calls 20824 29e644 66 API calls _Fputc 20901 2a595a 44 API calls 3 library calls 20827 292a5a 31 API calls 20828 29d45d 68 API calls ___scrt_uninitialize_crt 20829 282450 103 API calls 20903 284950 98 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 20905 28cf50 134 API calls 3 library calls 20906 294355 DecodePointer 20907 29f557 55 API calls 2 library calls 20908 2a63a8 49 API calls 3 library calls 20909 2833a0 14 API calls 20911 2981a3 66 API calls 20912 2a0fa7 FreeLibrary 20913 2947bb GetModuleHandleW GetProcAddress GetProcAddress 20915 294bbb GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 20916 2a1dbc GetProcessHeap 20919 2953b1 8 API calls 20921 28adb0 29 API calls std::_Throw_Cpp_error 20838 2910b0 32 API calls std::_Throw_Cpp_error 20923 292db0 69 API calls _Yarn 20925 297389 47 API calls 4 library calls 20926 291589 DeleteCriticalSection 20616 291a88 20639 2919f9 GetModuleHandleExW 20616->20639 20619 291ace 20621 2919f9 Concurrency::details::_Reschedule_chore GetModuleHandleExW 20619->20621 20623 291ad4 20621->20623 20625 291af5 20623->20625 20661 2919dc GetModuleHandleExW 20623->20661 20641 28e250 20625->20641 20627 291ae5 20627->20625 20628 291aeb FreeLibraryWhenCallbackReturns 20627->20628 20628->20625 20630 2919f9 Concurrency::details::_Reschedule_chore GetModuleHandleExW 20631 291b0b 20630->20631 20632 28b1f0 47 API calls 20631->20632 20637 291b39 20631->20637 20633 291b17 20632->20633 20634 29386f ReleaseSRWLockExclusive 20633->20634 20635 291b2a 20634->20635 20635->20637 20662 2934df WakeAllConditionVariable 20635->20662 20640 291a0f 20639->20640 20640->20619 20650 28b1f0 20640->20650 20663 284560 20641->20663 20643 28e271 std::_Throw_Cpp_error 20667 28f1c0 20643->20667 20646 28e29f 20647 2911f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 20646->20647 20648 28e2a9 20647->20648 20648->20630 20651 28b204 std::_Throw_Cpp_error 20650->20651 20754 29385e 20651->20754 20655 28b23d 20658 29386f 20655->20658 20656 28b221 20656->20655 20758 291c19 40 API calls 2 library calls 20656->20758 20659 29388a 20658->20659 20660 29387c ReleaseSRWLockExclusive 20658->20660 20659->20619 20660->20659 20661->20627 20662->20637 20664 284590 20663->20664 20665 2911f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 20664->20665 20666 28459d 20665->20666 20666->20643 20668 284560 5 API calls 20667->20668 20669 28f1e1 std::_Throw_Cpp_error 20668->20669 20675 290010 20669->20675 20670 28f1f3 20671 2911f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 20670->20671 20672 28e297 20671->20672 20674 28e2e0 CloseThreadpoolWork std::_Throw_Cpp_error 20672->20674 20674->20646 20676 290027 20675->20676 20681 290160 20676->20681 20678 29002e std::_Throw_Cpp_error 20680 290036 20678->20680 20688 290220 20678->20688 20680->20670 20693 28d560 20681->20693 20683 290187 20696 28d690 20683->20696 20686 2911f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 20687 2901e1 20686->20687 20687->20678 20703 290260 20688->20703 20691 2911f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 20692 290250 20691->20692 20692->20680 20694 28b1f0 47 API calls 20693->20694 20695 28d57e 20694->20695 20695->20683 20699 28b2a0 20696->20699 20700 28b2b1 std::_Throw_Cpp_error 20699->20700 20701 29386f ReleaseSRWLockExclusive 20700->20701 20702 28b2b9 20701->20702 20702->20686 20704 290281 20703->20704 20713 290430 20704->20713 20706 2902c1 20716 2903c0 20706->20716 20710 2902e7 20711 2911f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 20710->20711 20712 290243 20711->20712 20712->20691 20723 290570 20713->20723 20715 290450 20715->20706 20717 2903e4 20716->20717 20738 290500 20717->20738 20719 2903ff 20720 2911f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 20719->20720 20721 2902d1 20720->20721 20722 290300 134 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 20721->20722 20722->20710 20724 2905a1 20723->20724 20729 2905e0 20724->20729 20726 2905b4 20727 2911f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 20726->20727 20728 2905cb 20727->20728 20728->20715 20730 2905f7 20729->20730 20733 290620 20730->20733 20732 290605 20732->20726 20734 29063d 20733->20734 20736 290645 Concurrency::details::_ContextCallback::_CallInContext 20734->20736 20737 290670 31 API calls 2 library calls 20734->20737 20736->20732 20737->20736 20739 290514 Concurrency::details::_ContextCallback::_CallInContext 20738->20739 20741 29051c Concurrency::details::_ContextCallback::_CallInContext 20739->20741 20747 291da0 RaiseException Concurrency::cancel_current_task 20739->20747 20744 290790 20741->20744 20748 290830 20744->20748 20751 290850 20748->20751 20752 28b9e0 Concurrency::details::_ContextCallback::_CallInContext 125 API calls 20751->20752 20753 290539 20752->20753 20753->20719 20759 29388e GetCurrentThreadId 20754->20759 20757 291c19 40 API calls 2 library calls 20760 2938b8 20759->20760 20761 2938d7 20759->20761 20762 2938bd AcquireSRWLockExclusive 20760->20762 20770 2938cd 20760->20770 20763 2938e0 20761->20763 20764 2938f7 20761->20764 20762->20770 20765 2938eb AcquireSRWLockExclusive 20763->20765 20763->20770 20766 293956 20764->20766 20772 29390f 20764->20772 20765->20770 20768 29395d TryAcquireSRWLockExclusive 20766->20768 20766->20770 20767 2911f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 20769 28b20c 20767->20769 20768->20770 20769->20656 20769->20757 20770->20767 20772->20770 20773 293946 TryAcquireSRWLockExclusive 20772->20773 20774 29454d GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime __aulldiv __aullrem __Xtime_get_ticks 20772->20774 20773->20770 20773->20772 20774->20772 20927 294188 49 API calls _unexpected 20840 29788f 7 API calls ___scrt_uninitialize_crt 20928 287180 31 API calls std::_Throw_Cpp_error 20930 2a6185 29 API calls 3 library calls 20844 29109a 33 API calls std::_Throw_Cpp_error 20775 2bc19e 20776 2bc1d4 20775->20776 20777 2bc321 GetPEB 20776->20777 20778 2bc333 CreateProcessW VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 20776->20778 20777->20778 20778->20776 20779 2bc3da WriteProcessMemory 20778->20779 20780 2bc41f 20779->20780 20781 2bc461 WriteProcessMemory Wow64SetThreadContext ResumeThread 20780->20781 20782 2bc424 WriteProcessMemory 20780->20782 20782->20780 20932 28a590 48 API calls 20935 2a55ed 11 API calls 3 library calls 20847 281ae0 6 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 20937 28a5e0 61 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 20938 2869e0 5 API calls 2 library calls 20940 2af1e5 IsProcessorFeaturePresent 20851 2ab6f5 49 API calls 20853 292cc8 45 API calls 2 library calls 20943 2a1dce 34 API calls 2 library calls 20856 2a06cd 16 API calls __dosmaperr 20945 28a7c0 125 API calls 20950 29cfd5 7 API calls 20863 297ad4 73 API calls 2 library calls 20951 2a3bd7 43 API calls 2 library calls

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 002BC19E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,002BC110,002BC100), ref: 002BC334
                                                                                                                                                                                                                      • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 002BC347
                                                                                                                                                                                                                      • Wow64GetThreadContext.KERNEL32(000000A0,00000000), ref: 002BC365
                                                                                                                                                                                                                      • ReadProcessMemory.KERNELBASE(0000009C,?,002BC154,00000004,00000000), ref: 002BC389
                                                                                                                                                                                                                      • VirtualAllocEx.KERNELBASE(0000009C,?,?,00003000,00000040), ref: 002BC3B4
                                                                                                                                                                                                                      • WriteProcessMemory.KERNELBASE(0000009C,00000000,?,?,00000000,?), ref: 002BC40C
                                                                                                                                                                                                                      • WriteProcessMemory.KERNELBASE(0000009C,00400000,?,?,00000000,?,00000028), ref: 002BC457
                                                                                                                                                                                                                      • WriteProcessMemory.KERNELBASE(0000009C,?,?,00000004,00000000), ref: 002BC495
                                                                                                                                                                                                                      • Wow64SetThreadContext.KERNEL32(000000A0,01150000), ref: 002BC4D1
                                                                                                                                                                                                                      • ResumeThread.KERNELBASE(000000A0), ref: 002BC4E0
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                                                                                                                                                                                      • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                                                                                                                                                                                                      • API String ID: 2687962208-3857624555
                                                                                                                                                                                                                      • Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                                                                                                                                                      • Instruction ID: 8732fcbb2bf27f750b09e6d0647cf27bd10addc0c0d89fa59da3c22e11f67911
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 46B1087264024AAFDB60CF68CC80BDA73A5FF88754F258164EA0CAB341D774FA51CB94
                                                                                                                                                                                                                      Function 00281870 Relevance: 9.2, APIs: 6, Instructions: 162fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$CloseCreateHandleSize
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1378416451-0
                                                                                                                                                                                                                      • Opcode ID: 7a5571745a85aa2c0799291717461dc9f553c9e2a365986e3eaaa71fe82f594d
                                                                                                                                                                                                                      • Instruction ID: d4e22e729d9d7805c062711c2ae3642ceb817fe6c4fb012b99a5b69a4d7a18a0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7a5571745a85aa2c0799291717461dc9f553c9e2a365986e3eaaa71fe82f594d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9871C2B4D05248CFCB10EFA8D59879DBBF4BF48304F108529E499AB381E774A966CF52
                                                                                                                                                                                                                      Function 00287D50 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 477COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 60 287d50-287db5 61 287dbb-287dcc 60->61 62 287df0-287e13 call 2860a0 60->62 63 287dd2-287dde 61->63 64 287de4-287dea 61->64 67 287e19-287e25 62->67 68 287e2a-287e42 62->68 63->64 64->62 71 287ea0-287fe0 call 29e850 call 29e384 call 29e850 call 283fa0 call 2860c0 call 283fd0 call 2861d0 call 286270 call 286230 call 283fa0 call 286290 call 283fd0 call 2863a0 call 2863d0 67->71 69 287e48-287e58 68->69 70 287e9b 68->70 69->70 72 287e5e-287e6f 69->72 70->71 103 288013-28801a 71->103 104 287fe6-288011 call 288910 call 286270 71->104 74 287e8c-287e95 72->74 75 287e75-287e86 72->75 74->70 75->70 75->74 106 288020-288029 103->106 107 288141-28815a call 281d90 call 286500 103->107 104->103 109 28802f-28803b 106->109 110 288040-288046 106->110 121 288160-288170 call 286500 107->121 122 288176-288180 107->122 113 28804c-28806c call 286270 109->113 110->113 120 288072-288086 113->120 124 28808c-2880a1 120->124 125 2880c7-2880cf 120->125 121->122 136 288185-288190 call 286500 121->136 123 288196-2881b0 call 2860a0 122->123 138 2882a1-2882ab 123->138 139 2881b6-2881c0 123->139 124->125 127 2880a7-2880c1 124->127 129 2880da-288122 call 2863f0 125->129 130 2880d5-28813c 125->130 127->125 143 288128-288131 129->143 144 288137 129->144 130->107 136->123 140 28839e-288424 call 286270 call 2865a0 138->140 141 2882b1-288399 call 286270 call 2865a0 call 286520 138->141 139->138 145 2881c6-28829c call 286520 call 286270 call 2865a0 139->145 160 288427 140->160 141->160 143->144 144->120 164 28842c-2884a2 call 286270 call 2865a0 145->164 160->164 168 2884a7-28854c call 286630 call 286520 call 281e40 * 2 call 2911f9 164->168
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _strcspn
                                                                                                                                                                                                                      • String ID: @
                                                                                                                                                                                                                      • API String ID: 3709121408-2766056989
                                                                                                                                                                                                                      • Opcode ID: d90b7b7df085145f30e8609bd4a1be787178ec0e3515997119571f99de12f977
                                                                                                                                                                                                                      • Instruction ID: a7c17f52162f2447ba42282631a92cb48b13fb1a73981e2e26228672b687d00d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d90b7b7df085145f30e8609bd4a1be787178ec0e3515997119571f99de12f977
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7A32E4B89152698FCB14EF24C981A9DFBF1BF48300F0585EAE849A7341D734AE95CF91
                                                                                                                                                                                                                      Function 00281710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ConsoleFreeProtectVirtual
                                                                                                                                                                                                                      • String ID: @
                                                                                                                                                                                                                      • API String ID: 621788221-2766056989
                                                                                                                                                                                                                      • Opcode ID: 2d519fd3851d56e5ece8fe743d4b0a3df60104e7154fd6d07e349b30393259ad
                                                                                                                                                                                                                      • Instruction ID: eeb4acf2136958e9c57e1870cea87c0c1fba9dd68e15a8b9c6e9d5baf70c66c4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2d519fd3851d56e5ece8fe743d4b0a3df60104e7154fd6d07e349b30393259ad
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3041F0B0D11208DFCB04EFA9E48869EBBF4BF08344F118829E458AB390D774A955CF91
                                                                                                                                                                                                                      Function 002A7FBC Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 195 2a7fbc-2a7fde 196 2a81d1 195->196 197 2a7fe4-2a7fe6 195->197 200 2a81d3-2a81d7 196->200 198 2a7fe8-2a8007 call 29cef8 197->198 199 2a8012-2a8035 197->199 206 2a800a-2a800d 198->206 202 2a803b-2a8041 199->202 203 2a8037-2a8039 199->203 202->198 205 2a8043-2a8054 202->205 203->202 203->205 207 2a8056-2a8064 call 2a6d6c 205->207 208 2a8067-2a8077 call 2a82e9 205->208 206->200 207->208 213 2a8079-2a807f 208->213 214 2a80c0-2a80d2 208->214 215 2a80a8-2a80be call 2a8366 213->215 216 2a8081-2a8084 213->216 217 2a8129-2a8149 WriteFile 214->217 218 2a80d4-2a80da 214->218 238 2a80a1-2a80a3 215->238 221 2a808f-2a809e call 2a872d 216->221 222 2a8086-2a8089 216->222 224 2a814b-2a8151 GetLastError 217->224 225 2a8154 217->225 219 2a80dc-2a80df 218->219 220 2a8115-2a8122 call 2a8795 218->220 226 2a8101-2a8113 call 2a8959 219->226 227 2a80e1-2a80e4 219->227 237 2a8127 220->237 221->238 222->221 228 2a8169-2a816c 222->228 224->225 232 2a8157-2a8162 225->232 245 2a80fc-2a80ff 226->245 233 2a816f-2a8171 227->233 234 2a80ea-2a80f7 call 2a8870 227->234 228->233 239 2a81cc-2a81cf 232->239 240 2a8164-2a8167 232->240 241 2a819f-2a81ab 233->241 242 2a8173-2a8178 233->242 234->245 237->245 238->232 239->200 240->228 248 2a81ad-2a81b3 241->248 249 2a81b5-2a81c7 241->249 246 2a817a-2a818c 242->246 247 2a8191-2a819a call 29c6f0 242->247 245->238 246->206 247->206 248->196 248->249 249->206
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 002A8366: GetConsoleOutputCP.KERNEL32(AA0794DD,00000000,00000000,?), ref: 002A83C9
                                                                                                                                                                                                                      • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,?,?,00298191,?,002983F3), ref: 002A8141
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00298191,?,002983F3,?,002983F3,?,?,?,?,?,?,?,?,?,?), ref: 002A814B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2915228174-0
                                                                                                                                                                                                                      • Opcode ID: 107721be1d62d72407409c334c574767fdc9c093c5fc857f1a861f145a7500dd
                                                                                                                                                                                                                      • Instruction ID: e496d3ecf2c0e6be009daf68a93531c75891a8702ad89fe9e95b9584d05bff2b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 107721be1d62d72407409c334c574767fdc9c093c5fc857f1a861f145a7500dd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7761B171D2011AAFDF15CFA8DD44AEEBFB9AF0A304F140155E904A7212DF76D926CBA0
                                                                                                                                                                                                                      Function 002A8795 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 252 2a8795-2a87ea call 294790 255 2a885f-2a886f call 2911f9 252->255 256 2a87ec 252->256 257 2a87f2 256->257 260 2a87f8-2a87fa 257->260 261 2a87fc-2a8801 260->261 262 2a8814-2a8839 WriteFile 260->262 263 2a880a-2a8812 261->263 264 2a8803-2a8809 261->264 265 2a883b-2a8846 262->265 266 2a8857-2a885d GetLastError 262->266 263->260 263->262 264->263 265->255 267 2a8848-2a8853 265->267 266->255 267->257 268 2a8855 267->268 268->255
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,002A8127,?,002983F3,?,?,?,00000000), ref: 002A8831
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,002A8127,?,002983F3,?,?,?,00000000,?,?,?,?,?,00298191,?,002983F3), ref: 002A8857
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 442123175-0
                                                                                                                                                                                                                      • Opcode ID: fccca12a4ac3b48879bed891b48e84985129a17a3dd0f01a6ac05779ba5e3361
                                                                                                                                                                                                                      • Instruction ID: 15a06482388c7b951b467d9ff958b1aea9d82a0858882c50630e23e15365a1a2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fccca12a4ac3b48879bed891b48e84985129a17a3dd0f01a6ac05779ba5e3361
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B621A234A101199FCF19CF19DD809E9B7FAEB49305B2445A9E90AD7211DF309D52CF60
                                                                                                                                                                                                                      Function 002A1F19 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 269 2a1f19-2a1f1e 270 2a1f20-2a1f38 269->270 271 2a1f3a-2a1f3e 270->271 272 2a1f46-2a1f4f 270->272 271->272 273 2a1f40-2a1f44 271->273 274 2a1f61 272->274 275 2a1f51-2a1f54 272->275 276 2a1fbb-2a1fbf 273->276 279 2a1f63-2a1f70 GetStdHandle 274->279 277 2a1f5d-2a1f5f 275->277 278 2a1f56-2a1f5b 275->278 276->270 280 2a1fc5-2a1fc8 276->280 277->279 278->279 281 2a1f9d-2a1faf 279->281 282 2a1f72-2a1f74 279->282 281->276 283 2a1fb1-2a1fb4 281->283 282->281 284 2a1f76-2a1f7f GetFileType 282->284 283->276 284->281 285 2a1f81-2a1f8a 284->285 286 2a1f8c-2a1f90 285->286 287 2a1f92-2a1f95 285->287 286->276 287->276 288 2a1f97-2a1f9b 287->288 288->276
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,00000000,002A1E08,002BB810), ref: 002A1F65
                                                                                                                                                                                                                      • GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,002A1E08,002BB810), ref: 002A1F77
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileHandleType
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3000768030-0
                                                                                                                                                                                                                      • Opcode ID: 9735f45c6740b5f48d18c66dcd9a63e88d12a72181db1f73094e131d0790423d
                                                                                                                                                                                                                      • Instruction ID: 6b860fcbda14fee2a019874418b18950ee5e10a08dbee6120adab763e042941f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9735f45c6740b5f48d18c66dcd9a63e88d12a72181db1f73094e131d0790423d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CE117F716287C24FCB304E3E9D88622BA94A757330F38071AE5B6C69F1CB60D9B6D241
                                                                                                                                                                                                                      Function 00281B80 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32 ref: 00281BA8
                                                                                                                                                                                                                      • GetModuleFileNameA.KERNEL32 ref: 00281BC8
                                                                                                                                                                                                                        • Part of subcall function 00281870: CreateFileA.KERNELBASE ref: 002818F3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileModule$CreateHandleName
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2828212432-0
                                                                                                                                                                                                                      • Opcode ID: c2a569abf5a265d55a382b18044ec78bbcc344cef6443c8dfe3c3fe932030f85
                                                                                                                                                                                                                      • Instruction ID: 358c2225a4d78397707d07c7c1a3198cfa78127e5b520ffee7b9addd958704cb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c2a569abf5a265d55a382b18044ec78bbcc344cef6443c8dfe3c3fe932030f85
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 38F0F9B09042088FCB50EF78E94929DBBF4AB04300F4085A99489D3250EA749A988F82
                                                                                                                                                                                                                      Function 002A0487 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 294 2a0487-2a0490 295 2a04bf-2a04c0 294->295 296 2a0492-2a04a5 RtlFreeHeap 294->296 296->295 297 2a04a7-2a04be GetLastError call 29c6ad call 29c664 296->297 297->295
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlFreeHeap.NTDLL(00000000,00000000,?,002A46B0,?,00000000,?,?,002A4350,?,00000007,?,?,002A4C96,?,?), ref: 002A049D
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,002A46B0,?,00000000,?,?,002A4350,?,00000007,?,?,002A4C96,?,?), ref: 002A04A8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 485612231-0
                                                                                                                                                                                                                      • Opcode ID: 3d429876d76c1e9caf4c19b52cd3b11324436804c7755de8a6278a8599240e0e
                                                                                                                                                                                                                      • Instruction ID: 90a2ae573fdead6be02c12d23b0e45d86f5e60fa79427867dfd50d7be82636c9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3d429876d76c1e9caf4c19b52cd3b11324436804c7755de8a6278a8599240e0e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 80E08C32610704ABCF212FA4FD0CB993A6CAB86751F648121FB0CCA060CA389960CB94
                                                                                                                                                                                                                      Function 0029294E Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 302 29294e-292968 303 29296a-29296c 302->303 304 292971-292979 302->304 305 292a4a-292a57 call 2911f9 303->305 306 29297b-292985 304->306 307 29299a-29299e 304->307 306->307 314 292987-292998 306->314 310 2929a4-2929b5 call 2931de 307->310 311 292a46 307->311 318 2929bd-2929f1 310->318 319 2929b7-2929bb 310->319 315 292a49 311->315 317 292a13-292a15 314->317 315->305 317->315 325 2929f3-2929f6 318->325 326 292a17-292a1f 318->326 320 292a04 call 292305 319->320 323 292a09-292a10 320->323 323->317 325->326 327 2929f8-2929fc 325->327 328 292a21-292a32 call 29df69 326->328 329 292a34-292a44 326->329 327->311 330 2929fe-292a01 327->330 328->311 328->329 329->315 330->320
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2f3ab65216b247092e1bac9515460060a18e567a1aed01b7750dea7983862001
                                                                                                                                                                                                                      • Instruction ID: 075b880f80e9600f4ae698abe17d974505a54896b63dfb295a98f0ae8c9dc53c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2f3ab65216b247092e1bac9515460060a18e567a1aed01b7750dea7983862001
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8B31603292011AFFCF14DE69D8909EDB7B9BF09320B14026AE515E3690E731E968CB50
                                                                                                                                                                                                                      Function 00291A88 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 002919F9: GetModuleHandleExW.KERNEL32(00000002,00000000,(,?,?,002919BC,?,?,0029198D,?,?,?,0028E1E1), ref: 00291A05
                                                                                                                                                                                                                      • FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,AA0794DD,?,?,?,002B0244,000000FF), ref: 00291AEF
                                                                                                                                                                                                                        • Part of subcall function 0028B1F0: std::_Throw_Cpp_error.LIBCPMT ref: 0028B21C
                                                                                                                                                                                                                        • Part of subcall function 0028B1F0: std::_Throw_Cpp_error.LIBCPMT ref: 0028B238
                                                                                                                                                                                                                        • Part of subcall function 0029386F: ReleaseSRWLockExclusive.KERNEL32(?,?,?,0028B2B9,?,0028F9C2), ref: 00293884
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Cpp_errorThrow_std::_$CallbackExclusiveFreeHandleLibraryLockModuleReleaseReturnsWhen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1423221283-0
                                                                                                                                                                                                                      • Opcode ID: 9d245eb6e64a54f16e30177bb184eb629576202526a228b1f225fa96456b697d
                                                                                                                                                                                                                      • Instruction ID: e226dcefd5ffd9cea30bc14cd2744c017c753368098cf2ef54d519363a11cf71
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9d245eb6e64a54f16e30177bb184eb629576202526a228b1f225fa96456b697d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AA110B326105026BDF256F6AAC1966E7759FB04B60B10452AF91587790DF35DC31CF50
                                                                                                                                                                                                                      Function 00292940 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 363 292940-292945 364 292993-292999 363->364 365 292947-29294d call 2979f8 363->365 367 29299b 364->367 368 29291e-29292d 364->368 370 2929e9-2929f1 367->370 371 29299d-2929a5 367->371 373 2929f3-2929f6 370->373 374 292a17-292a1f 370->374 371->370 373->374 375 2929f8-2929fc 373->375 376 292a21-292a32 call 29df69 374->376 377 292a34-292a44 374->377 378 2929fe-292a04 call 292305 375->378 379 292a46 375->379 376->377 376->379 381 292a49-292a57 call 2911f9 377->381 388 292a09-292a15 378->388 379->381 388->381
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CriticalLeaveSection
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3988221542-0
                                                                                                                                                                                                                      • Opcode ID: 8d140c1e86ace91e47ab478012fc8380cb1b10840c3f1041e97f3247bff7e0da
                                                                                                                                                                                                                      • Instruction ID: ecdf2e2406b244df3d41f9e3c45bbb8c3f82375a6eecf4093f382915d073653c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8d140c1e86ace91e47ab478012fc8380cb1b10840c3f1041e97f3247bff7e0da
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F5014437628257AEDF24DE78A9696ACBF20EF86334F2001AFD015D80C2CB124839C710
                                                                                                                                                                                                                      Function 00281C00 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: EqualPrefix
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 447727826-0
                                                                                                                                                                                                                      • Opcode ID: 0783b80be5a11eab3efe81e965306ba33aa925d35efc76c3deed9ad4d069903e
                                                                                                                                                                                                                      • Instruction ID: 6a3cd5578c5ee3aab0db91a2627c358366182b175c3497db93ca3daa391d49d3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0783b80be5a11eab3efe81e965306ba33aa925d35efc76c3deed9ad4d069903e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3301E874911209DFCB00EFA8E95579EBBF8FF04304F404569E459A7391EB749A18CF92
                                                                                                                                                                                                                      Function 002A04C1 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 399 2a04c1-2a04cd 400 2a04ff-2a050a call 29c664 399->400 401 2a04cf-2a04d1 399->401 408 2a050c-2a050e 400->408 403 2a04ea-2a04fb RtlAllocateHeap 401->403 404 2a04d3-2a04d4 401->404 405 2a04fd 403->405 406 2a04d6-2a04dd call 29d224 403->406 404->403 405->408 406->400 411 2a04df-2a04e8 call 29a7ef 406->411 411->400 411->403
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,?,?,0029119F,?,?,002831F2,00001000,?,0028313A), ref: 002A04F3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                                                                      • Opcode ID: 556f1f2c095cb599ca5a3413369da72ccdcad749c0851e2b7aa63a2d41fb6b3e
                                                                                                                                                                                                                      • Instruction ID: 4f063a2d580fcdfdb5966e0e9ce1110b45778864334d7b52b3734f3d7d36fb39
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 556f1f2c095cb599ca5a3413369da72ccdcad749c0851e2b7aa63a2d41fb6b3e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5EE0653157031257DA312F65EC85B9F7648BF4BBA0F154122EE0996091DE50DC318BA1
                                                                                                                                                                                                                      Function 00290500 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 414 290500-290516 call 28b060 417 29051c 414->417 418 290521 call 291da0 414->418 420 290526-290536 call 28b090 call 290790 417->420 418->420 423 290539-290540 420->423
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00290521
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 118556049-0
                                                                                                                                                                                                                      • Opcode ID: e661e17063f482c27c2836dd3bd1e7e1a569301e29a1a9b0824203d682e51f04
                                                                                                                                                                                                                      • Instruction ID: 95b980e726a7353f1f2b600d86d574236d3e6ceade607c08a5c0c8524ae01f8a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e661e17063f482c27c2836dd3bd1e7e1a569301e29a1a9b0824203d682e51f04
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A5E04F34C1020CAFCF04FFA4D18146EB7B4AF44310F6040A9E849973A1DB319E24CF41
                                                                                                                                                                                                                      Function 0028B9E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 0028BA01
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 118556049-0
                                                                                                                                                                                                                      • Opcode ID: d54092ffe385f37bf38e100b09a46dbf490ab7c81b07d1c2ddcf268f775d5759
                                                                                                                                                                                                                      • Instruction ID: 103d7ed2b6dbcf7f2a1bda9c2c37bb0b4fe44534d845d50b556c986248db23ae
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d54092ffe385f37bf38e100b09a46dbf490ab7c81b07d1c2ddcf268f775d5759
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C6E04F34C1120CDBCB08FFA4D14159DB7B4AF44304F2040ADE409573A1DB315E20CF41

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 002ABA42 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: __floor_pentium4
                                                                                                                                                                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                      • API String ID: 4168288129-2761157908
                                                                                                                                                                                                                      • Opcode ID: 4b2dc4e7442aaf5160d9afe18561abf4e6ecdfe82798a7eee64af3aa68523efb
                                                                                                                                                                                                                      • Instruction ID: 9f75c0f94c1ca81d0c63dd31ce6b505fdb399f885e80e61fa9c62da5664cf3fd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4b2dc4e7442aaf5160d9afe18561abf4e6ecdfe82798a7eee64af3aa68523efb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A8D24A71E282298FDB65CE28DD407EAB7B5FB45305F2441EAD80DE7241DB78AE918F40
                                                                                                                                                                                                                      Function 002A5DD3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetLocaleInfoW.KERNEL32(?,2000000B,002A57A4,00000002,00000000,?,?,?,002A57A4,?,00000000), ref: 002A5E6C
                                                                                                                                                                                                                      • GetLocaleInfoW.KERNEL32(?,20001004,002A57A4,00000002,00000000,?,?,?,002A57A4,?,00000000), ref: 002A5E95
                                                                                                                                                                                                                      • GetACP.KERNEL32(?,?,002A57A4,?,00000000), ref: 002A5EAA
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InfoLocale
                                                                                                                                                                                                                      • String ID: ACP$OCP
                                                                                                                                                                                                                      • API String ID: 2299586839-711371036
                                                                                                                                                                                                                      • Opcode ID: 58cf146ade97771d323d5cb0a121fa81e6638fb7ed754fbe1589c97cc0155331
                                                                                                                                                                                                                      • Instruction ID: 80ba4f8dca4757c2e8fd80fdefb92feb2e3a241a19eb7caceb69c052618ae2ea
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 58cf146ade97771d323d5cb0a121fa81e6638fb7ed754fbe1589c97cc0155331
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 59217731A30922ABDB348F64CB04A9773E6EF56F54B568424E906D7100EF32DF60C750
                                                                                                                                                                                                                      Function 002A566E Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 002A0713: GetLastError.KERNEL32(00000000,?,002A2A49), ref: 002A0717
                                                                                                                                                                                                                        • Part of subcall function 002A0713: SetLastError.KERNEL32(00000000,?,?,00000028,0029D2C9), ref: 002A07B9
                                                                                                                                                                                                                      • GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 002A5776
                                                                                                                                                                                                                      • IsValidCodePage.KERNEL32(00000000), ref: 002A57B4
                                                                                                                                                                                                                      • IsValidLocale.KERNEL32(?,00000001), ref: 002A57C7
                                                                                                                                                                                                                      • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 002A580F
                                                                                                                                                                                                                      • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 002A582A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 415426439-0
                                                                                                                                                                                                                      • Opcode ID: fd00c67a19dd8de18aa144755e499f8d8cf2653d1f45a106acbe0e420afcad4a
                                                                                                                                                                                                                      • Instruction ID: 8990a40712ca46a8590bdcfa2988e59c2acc19414e11e434ceb2b173e163b835
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fd00c67a19dd8de18aa144755e499f8d8cf2653d1f45a106acbe0e420afcad4a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 96518F71A20A2AEFDF10DFA4CC45ABFB7B8BF06700F140469A911E7191EF709964CB61
                                                                                                                                                                                                                      Function 0029E930 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 940c0e5d6642d71f3349d6853f9f47a4d852d201499cf18fcd482ab34cbb11e5
                                                                                                                                                                                                                      • Instruction ID: 966ac958192db1eff66fa9f72f85b7e7961936e70acbd51ffaf6332c8a346f2d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 940c0e5d6642d71f3349d6853f9f47a4d852d201499cf18fcd482ab34cbb11e5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B7023B71E1121A9BDF14CFA8D880AAEFBF5FF48314F25826AD519A7340D731AA51CB90
                                                                                                                                                                                                                      Function 002A63B5 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 002A64A5
                                                                                                                                                                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 002A6599
                                                                                                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 002A65D8
                                                                                                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 002A660B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Find$CloseFile$FirstNext
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1164774033-0
                                                                                                                                                                                                                      • Opcode ID: ac20ff70c4aad60ff079ba3f5e3893112c641547ebf1c46aefbe16124e460746
                                                                                                                                                                                                                      • Instruction ID: 0b79f8a2c86c264222162ecaecb104c980b6709050b5ff54bb0818b1bc2d7b04
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ac20ff70c4aad60ff079ba3f5e3893112c641547ebf1c46aefbe16124e460746
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5871F8B1C151699FDF30AF389C8DAAEBBB9EB0A300F5841D9E04997211DF354EA58F14
                                                                                                                                                                                                                      Function 00294073 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0029407F
                                                                                                                                                                                                                      • IsDebuggerPresent.KERNEL32 ref: 0029414B
                                                                                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00294164
                                                                                                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 0029416E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 254469556-0
                                                                                                                                                                                                                      • Opcode ID: bbb6007e6c0402ada64d36e18123536c610272defe1dbf78e9b3deb6d5687564
                                                                                                                                                                                                                      • Instruction ID: eeeafd860bbaafec534604f096912d8b38ce69e26caeb91c19aa0246155a73b8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bbb6007e6c0402ada64d36e18123536c610272defe1dbf78e9b3deb6d5687564
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71310AB5D112199BDF20EFA4D94DBCDBBB8AF08300F1041AAE50DAB250E7719B858F85
                                                                                                                                                                                                                      Function 002A595A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 002A0713: GetLastError.KERNEL32(00000000,?,002A2A49), ref: 002A0717
                                                                                                                                                                                                                        • Part of subcall function 002A0713: SetLastError.KERNEL32(00000000,?,?,00000028,0029D2C9), ref: 002A07B9
                                                                                                                                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002A59AE
                                                                                                                                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002A59F8
                                                                                                                                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002A5ABE
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InfoLocale$ErrorLast
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 661929714-0
                                                                                                                                                                                                                      • Opcode ID: b62a44a68473d22d53e443ce6fc0a3fda63f7e530ed72df6752e619980801f5d
                                                                                                                                                                                                                      • Instruction ID: 481a435d35b9c112baf268e2e903ca14b04f4d14bc5aeae466aec535d40fc3e9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b62a44a68473d22d53e443ce6fc0a3fda63f7e530ed72df6752e619980801f5d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 23619F71A20A27DFDB289F24CCC2BAB77A8FF06315F104569E905C6185EB74DDA4CB50
                                                                                                                                                                                                                      Function 0029CDB0 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0029CEA8
                                                                                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0029CEB2
                                                                                                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0029CEBF
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3906539128-0
                                                                                                                                                                                                                      • Opcode ID: 023cc150e458431d232aafe1e9c2cbdc79d84db897493b2eaf81d6ba1106bbb1
                                                                                                                                                                                                                      • Instruction ID: 4bc8561c0064d9d7c3d39a5ca4475c03f09bbeff864ca4b8c5739b633ed10c31
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 023cc150e458431d232aafe1e9c2cbdc79d84db897493b2eaf81d6ba1106bbb1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ED31D27595122DABCF21DF24D889B8DBBB8BF08310F5042EAE40CA7251E7309B958F44
                                                                                                                                                                                                                      Function 002A58BF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 002A0713: GetLastError.KERNEL32(00000000,?,002A2A49), ref: 002A0717
                                                                                                                                                                                                                        • Part of subcall function 002A0713: SetLastError.KERNEL32(00000000,?,?,00000028,0029D2C9), ref: 002A07B9
                                                                                                                                                                                                                      • EnumSystemLocalesW.KERNEL32(002A595A,00000001,00000000,?,-00000050,?,002A574A,00000000,-00000002,00000000,?,00000055,?), ref: 002A5931
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                      • String ID: JW*
                                                                                                                                                                                                                      • API String ID: 2417226690-2886587201
                                                                                                                                                                                                                      • Opcode ID: 553eed0b13e26dfcd93a82effe8178253b445cff6e102207b23a1c21dc92eb7f
                                                                                                                                                                                                                      • Instruction ID: de532be750d21efad891e4c835a121382da1ed3c669d1f21f61cf5f90d677661
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 553eed0b13e26dfcd93a82effe8178253b445cff6e102207b23a1c21dc92eb7f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 38114C3B2107029FDB189F39C8A15BBB791FF85329B14442DE98787A40DB717952CB40
                                                                                                                                                                                                                      Function 002947EF Relevance: 3.0, APIs: 2, Instructions: 27timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetSystemTimePreciseAsFileTime.KERNEL32(?,?,00293918,k8),?,?,?,?,0029386B,?,00000000,?,0028B20C,?,?,0028D57E), ref: 00294827
                                                                                                                                                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?,AA0794DD,?,?,002B0227,000000FF,?,00294534,?,?,?,?,00294558,00000000,?), ref: 0029482B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Time$FileSystem$Precise
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 743729956-0
                                                                                                                                                                                                                      • Opcode ID: 483af62577676162019d75d7bf3e2092b21d9a2f9459debe1c95ed9f735c6792
                                                                                                                                                                                                                      • Instruction ID: 30c2512e44eaa44c6d76929e8b04d17f4884feb0dea6bec0fe6f8c18bd96bbe5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 483af62577676162019d75d7bf3e2092b21d9a2f9459debe1c95ed9f735c6792
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DEF03036914554EBCB11AF44FC49F99BBA8F708B54F04462AEC1293690DB7569008B90
                                                                                                                                                                                                                      Function 002A9C73 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,002A9BCE,?,?,00000008,?,?,002B005B,00000000), ref: 002A9EA0
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExceptionRaise
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3997070919-0
                                                                                                                                                                                                                      • Opcode ID: 214825a8d0c8a49555525f6f7a1799fee3f868a98835dbdfb04e997394263929
                                                                                                                                                                                                                      • Instruction ID: 6291d760844c8bc181b5b9ccaf2a283a9f78edaed9a79e2853fad063cdc29799
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 214825a8d0c8a49555525f6f7a1799fee3f868a98835dbdfb04e997394263929
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 31B16E31120609CFD715CF29C486B657BE0FF46364F298659E999CF2A2CB35D9E1CB40
                                                                                                                                                                                                                      Function 00293CDF Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00293CF5
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2325560087-0
                                                                                                                                                                                                                      • Opcode ID: ed6518312c9ff59b2832c872f1ee8661705e0b4a072ee0d694ffd9f1d599f162
                                                                                                                                                                                                                      • Instruction ID: 16d99288e5eb7a3a9a8b245c657e3ce92b243d03af15122e228e56989a971dfc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ed6518312c9ff59b2832c872f1ee8661705e0b4a072ee0d694ffd9f1d599f162
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B5A15CB2D116068FDF18CF64E8996EDBBF0FB48324F25862AD415EB260E734A951CF50
                                                                                                                                                                                                                      Function 00299B40 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 0
                                                                                                                                                                                                                      • API String ID: 0-4108050209
                                                                                                                                                                                                                      • Opcode ID: b992e0b0c7a938213c38f40188563e6525b6f357e273806f7330f7af6864751d
                                                                                                                                                                                                                      • Instruction ID: f544be5b7d95e21c932148f045b7e40425d9299a8edb413db2d0a540cc5e0d7a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b992e0b0c7a938213c38f40188563e6525b6f357e273806f7330f7af6864751d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AAC1CE709206078FCF24DF6CC9946BABBF5AF09324F180A1ED49297691C731E9E5CB60
                                                                                                                                                                                                                      Function 002A5C0C Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 002A0713: GetLastError.KERNEL32(00000000,?,002A2A49), ref: 002A0717
                                                                                                                                                                                                                        • Part of subcall function 002A0713: SetLastError.KERNEL32(00000000,?,?,00000028,0029D2C9), ref: 002A07B9
                                                                                                                                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002A5C60
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3736152602-0
                                                                                                                                                                                                                      • Opcode ID: f6870eb3d257ef8c2b9f31185017850e5120c6b341804ddd7a21fdfa047bcc3a
                                                                                                                                                                                                                      • Instruction ID: 93787d20b7d67cd67e951da8b93e342513bcf3e197bb09e4420ee2f76af9a873
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f6870eb3d257ef8c2b9f31185017850e5120c6b341804ddd7a21fdfa047bcc3a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2321B372620716ABDB289F29DD81ABB73A9EF06320B10007AF901D6255EF74AD648B50
                                                                                                                                                                                                                      Function 00298741 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 0
                                                                                                                                                                                                                      • API String ID: 0-4108050209
                                                                                                                                                                                                                      • Opcode ID: 2b2d76fa950195f4430f05a2f7f17c043b783bec0daf2782adba7c95c94e4e82
                                                                                                                                                                                                                      • Instruction ID: 1e9465b86a6a7377c864f410805ac488170a164448475ec6446b978562fda79a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2b2d76fa950195f4430f05a2f7f17c043b783bec0daf2782adba7c95c94e4e82
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CDB1C27092060B8BCF28CF68C5556BEB7A1BF07300F6C061ED592A7791DF359A21CB61
                                                                                                                                                                                                                      Function 002A5D2C Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 002A0713: GetLastError.KERNEL32(00000000,?,002A2A49), ref: 002A0717
                                                                                                                                                                                                                        • Part of subcall function 002A0713: SetLastError.KERNEL32(00000000,?,?,00000028,0029D2C9), ref: 002A07B9
                                                                                                                                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 002A5D80
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3736152602-0
                                                                                                                                                                                                                      • Opcode ID: 39e5f61cafa887c538a9fb51535545777643ed784c7d281a31c9e0ef13859a48
                                                                                                                                                                                                                      • Instruction ID: 0e9c8234cc91bc0db5b521bed08040d05fae0d0e2dedbfb8edab0faf8ac333b0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 39e5f61cafa887c538a9fb51535545777643ed784c7d281a31c9e0ef13859a48
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9111CA32621917ABD7149F24DC46ABB73ECEF06310B100179F501D7141EF74ED148B50
                                                                                                                                                                                                                      Function 002A5ED9 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 002A0713: GetLastError.KERNEL32(00000000,?,002A2A49), ref: 002A0717
                                                                                                                                                                                                                        • Part of subcall function 002A0713: SetLastError.KERNEL32(00000000,?,?,00000028,0029D2C9), ref: 002A07B9
                                                                                                                                                                                                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,002A5B76,00000000,00000000,?), ref: 002A5F05
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3736152602-0
                                                                                                                                                                                                                      • Opcode ID: f3ddfe25479178663ef504d115441b15ec31e4ed933d1214b8258dd23bddbc28
                                                                                                                                                                                                                      • Instruction ID: 7ea75b0506a60d397f70685cd0524cc90c2bb464ee56dd7651e112d5ff15dd75
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f3ddfe25479178663ef504d115441b15ec31e4ed933d1214b8258dd23bddbc28
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 25012632A20523BFDB285A258C05BBB7768EB42314F044469EC02E3580EE70FEA1CA90
                                                                                                                                                                                                                      Function 002A5BAD Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 002A0713: GetLastError.KERNEL32(00000000,?,002A2A49), ref: 002A0717
                                                                                                                                                                                                                        • Part of subcall function 002A0713: SetLastError.KERNEL32(00000000,?,?,00000028,0029D2C9), ref: 002A07B9
                                                                                                                                                                                                                      • EnumSystemLocalesW.KERNEL32(002A5C0C,00000001,?,?,-00000050,?,002A5712,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 002A5BF7
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2417226690-0
                                                                                                                                                                                                                      • Opcode ID: 48a1f3db8a32737456a717fac9c0b61ed2410a8f3c519dcf65d0a5a8c4ca38f4
                                                                                                                                                                                                                      • Instruction ID: 044bc814baa7d55815b1f53a6e4ae38508f71ffbfb59c036b6a0cc93aaba3e7c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 48a1f3db8a32737456a717fac9c0b61ed2410a8f3c519dcf65d0a5a8c4ca38f4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 86F046363107141FCB245F39DC81A7BBB91EF8232CB08842DF9018B690CAB1AC12CF10
                                                                                                                                                                                                                      Function 002A16A7 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0029D047: EnterCriticalSection.KERNEL32(?,?,0029A841,00000000,002BB3D8,0000000C,0029A7FA,00001000,?,002A17CA,00001000,?,002A08B1,00000001,00000364,?), ref: 0029D056
                                                                                                                                                                                                                      • EnumSystemLocalesW.KERNEL32(002A169A,00000001,002BB7F0,0000000C,002A10A8,-00000050), ref: 002A16DF
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1272433827-0
                                                                                                                                                                                                                      • Opcode ID: da6149d0e42bcbfd634af7004004de20b0ccb7f97797e969723564857269482f
                                                                                                                                                                                                                      • Instruction ID: 9866e2c20d0231940c0f0e9d3d92e9e7de7a6d832003a38b177db1f33bf2ebdb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: da6149d0e42bcbfd634af7004004de20b0ccb7f97797e969723564857269482f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D9F0493AA20204DFDB10EF98E806B9DB7F0EB45720F00822AF414DB2A1DBB599108F50
                                                                                                                                                                                                                      Function 002A5CE1 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 002A0713: GetLastError.KERNEL32(00000000,?,002A2A49), ref: 002A0717
                                                                                                                                                                                                                        • Part of subcall function 002A0713: SetLastError.KERNEL32(00000000,?,?,00000028,0029D2C9), ref: 002A07B9
                                                                                                                                                                                                                      • EnumSystemLocalesW.KERNEL32(002A5D2C,00000001,?,?,?,002A576C,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 002A5D18
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2417226690-0
                                                                                                                                                                                                                      • Opcode ID: 123a3678712f07a14a296b69a4fd90321ef8fa4c92c178a5072132c90e60c174
                                                                                                                                                                                                                      • Instruction ID: 5c8fa9bee90497d8bc49849486cf41b693c2a8e6752c5ddb4f55f9b9d0dc332a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 123a3678712f07a14a296b69a4fd90321ef8fa4c92c178a5072132c90e60c174
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F4F0E53A70071967CB149F35E85966FBF94EFC3720B4A4059EE058B291CA719D52CB90
                                                                                                                                                                                                                      Function 002A11AC Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,0029BDA3,?,20001004,00000000,00000002,?,?,0029ACB5), ref: 002A11E0
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InfoLocale
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2299586839-0
                                                                                                                                                                                                                      • Opcode ID: e6507f44331cfb2a9179ebbffc577705d85791ce993e634343cf38ac91caa405
                                                                                                                                                                                                                      • Instruction ID: 4185599427ebe462305a6c54383903cf3428e7d18b24fa296971f093052f5868
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e6507f44331cfb2a9179ebbffc577705d85791ce993e634343cf38ac91caa405
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 59E04F31910218BBCF222F61EC09AAE3F26EF45771F404110FD0665160DF728A31AE91
                                                                                                                                                                                                                      Function 00294067 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_00014188), ref: 0029406C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3192549508-0
                                                                                                                                                                                                                      • Opcode ID: c7e2ab80e3f749ae8d35617f84dd2ab4bbd02beac6c0b85a684042b06d00dc96
                                                                                                                                                                                                                      • Instruction ID: dee2fdc991e65e56a44a3d25c9b6f8f7af8d378545bab89a412b25206e7335ba
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c7e2ab80e3f749ae8d35617f84dd2ab4bbd02beac6c0b85a684042b06d00dc96
                                                                                                                                                                                                                      • Instruction Fuzzy Hash:
                                                                                                                                                                                                                      Function 002A1DBC Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HeapProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 54951025-0
                                                                                                                                                                                                                      • Opcode ID: 35ecb6cc3d82eb81a7037a53a9300b437c6f926dcb28c2ad2ad4f39bb62e703c
                                                                                                                                                                                                                      • Instruction ID: d1bab9cf6863fe3b40084ea7ebddd2089ad1ff9949775965b1841dcaf6c2a159
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 35ecb6cc3d82eb81a7037a53a9300b437c6f926dcb28c2ad2ad4f39bb62e703c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8CA001B0A11201DB97908F3ABE4D6493AA9AA4A7917898669E419C5164EA248590AF02
                                                                                                                                                                                                                      Function 00281000 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2fac179884ca9e38b12ce49bd3fd0bef404fc286e023ef7c01f5a9d23db37c74
                                                                                                                                                                                                                      • Instruction ID: b72dc5e7a35c155d90d5f06550285def4d05ca297ba7f6d850d72f6f9f5ee946
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2fac179884ca9e38b12ce49bd3fd0bef404fc286e023ef7c01f5a9d23db37c74
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F051ACB4D1120D9FCB40DFA8D5919EEBBF8AB09310F20445AE809FB390D730AA52CF61
                                                                                                                                                                                                                      Function 002816A0 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: be4151d5bff8ca460e7490b704ef1f1a2c7e8e3f416a9c810056ea55428bbeb4
                                                                                                                                                                                                                      • Instruction ID: 76af47ff4dd3ebbfcf75fc4a6451838a4c7743fb30dd0bdf6558b986fbb39c20
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: be4151d5bff8ca460e7490b704ef1f1a2c7e8e3f416a9c810056ea55428bbeb4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 78D0923A641A58AFC610CF49E444D41F7B8FB8D770B168566EA0993B21C331FC11CAE0
                                                                                                                                                                                                                      Function 002AEDF2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 127012223-0
                                                                                                                                                                                                                      • Opcode ID: d12b962477d1db88197332ba1646f270fb3af372e6d71d85930a670431cc81f7
                                                                                                                                                                                                                      • Instruction ID: 78f3e93fad5ee1fe6b92088056385833add4c1998b1926aedaf65e59e0df2809
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d12b962477d1db88197332ba1646f270fb3af372e6d71d85930a670431cc81f7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA71DB729202069FDF219FD48D81FAE77B9DF47310F160165F904A7242DF759C628BA1
                                                                                                                                                                                                                      Function 002945A9 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 002945F0
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 0029461C
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 0029465B
                                                                                                                                                                                                                      • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00294678
                                                                                                                                                                                                                      • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 002946B7
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 002946D4
                                                                                                                                                                                                                      • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00294716
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00294739
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2040435927-0
                                                                                                                                                                                                                      • Opcode ID: aff692b8a523798f8c189647d0adae3777a6cbffb4ed2fe9764b3a046efb39c6
                                                                                                                                                                                                                      • Instruction ID: db8a020b6990b7291b99da692a7a1af2ed17af6c1029678064ebde82085804cd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: aff692b8a523798f8c189647d0adae3777a6cbffb4ed2fe9764b3a046efb39c6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DD51B4B292020ABFEF206FA0DC49FAA7BADEF45744F144524F9159A190D774DD22CB60
                                                                                                                                                                                                                      Function 002A3332 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _strrchr
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3213747228-0
                                                                                                                                                                                                                      • Opcode ID: 28ab9ecce4e15e3143315e353018c5f3af88507dfb5dc82ed59a1ff67c68ab01
                                                                                                                                                                                                                      • Instruction ID: 644956d36d059773a6707a37538a7029536e8b28c4c737f1a398f42a96f268a8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 28ab9ecce4e15e3143315e353018c5f3af88507dfb5dc82ed59a1ff67c68ab01
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 04B14872E24356AFDB11CF68CC81BAE7BA5EF5A710F144155F504AB282DB70DA21CBA0
                                                                                                                                                                                                                      Function 0029FB24 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 301COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • type_info::operator==.LIBVCRUNTIME ref: 0029FC43
                                                                                                                                                                                                                      • CallUnexpected.LIBVCRUNTIME ref: 0029FEBC
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CallUnexpectedtype_info::operator==
                                                                                                                                                                                                                      • String ID: `#+$csm$csm$csm
                                                                                                                                                                                                                      • API String ID: 2673424686-2600235502
                                                                                                                                                                                                                      • Opcode ID: 1fe873ae0ee5840010613aeb2a68085d8f400dd4d63259b44ae08fec437cfda4
                                                                                                                                                                                                                      • Instruction ID: bcc9da31f7e314fe806a71a348a254ec5d515537cf0031178b3ec3fa54ae64e3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1fe873ae0ee5840010613aeb2a68085d8f400dd4d63259b44ae08fec437cfda4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D2B16A7182020AEFCF95DFA4CA819AEB7B5BF04314F14416AEC15AB216D731DA71CFA1
                                                                                                                                                                                                                      Function 00295440 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00295477
                                                                                                                                                                                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 0029547F
                                                                                                                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00295508
                                                                                                                                                                                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00295533
                                                                                                                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00295588
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                      • String ID: csm
                                                                                                                                                                                                                      • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                      • Opcode ID: a448192a347f2b88bf67dd7a90e0f8ad81e0e2c6b90db695391915c35b25fc24
                                                                                                                                                                                                                      • Instruction ID: 71b561cdadb6a06d88e9dd96ff6dbaa183f141f6e9309f7a19861e21d26f22a3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a448192a347f2b88bf67dd7a90e0f8ad81e0e2c6b90db695391915c35b25fc24
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A141E330B20629DBCF11DF68C884A9E7FB5AF05314F558155E8185B352DB31EE65CF90
                                                                                                                                                                                                                      Function 0029388E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 002938A2
                                                                                                                                                                                                                      • AcquireSRWLockExclusive.KERNEL32(?,?,?,0029386B,?,00000000,?,0028B20C,?,?,0028D57E), ref: 002938C1
                                                                                                                                                                                                                      • AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,0029386B,?,00000000,?,0028B20C,?,?,0028D57E), ref: 002938EF
                                                                                                                                                                                                                      • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,0029386B,?,00000000,?,0028B20C,?,?,0028D57E), ref: 0029394A
                                                                                                                                                                                                                      • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,0029386B,?,00000000,?,0028B20C,?,?,0028D57E), ref: 00293961
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AcquireExclusiveLock$CurrentThread
                                                                                                                                                                                                                      • String ID: k8)
                                                                                                                                                                                                                      • API String ID: 66001078-4008630596
                                                                                                                                                                                                                      • Opcode ID: c27314219a232a70853823fab2d7abded8dd27385d0415bf0b2965faa7ea588b
                                                                                                                                                                                                                      • Instruction ID: b37247fa117991ed11d019b35f360cbf071b7887acf6ba81c9e997c065810971
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c27314219a232a70853823fab2d7abded8dd27385d0415bf0b2965faa7ea588b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A2415B31920A07DFEF20DF65C484B6AB3F5FF09310B504A29E446D7640E7B0EAA5CB51
                                                                                                                                                                                                                      Function 002A13F9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,AA0794DD,?,002A1508,002831F2,?,00000000,?), ref: 002A14BA
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                      • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                      • API String ID: 3664257935-537541572
                                                                                                                                                                                                                      • Opcode ID: 8f14552486478e7894aec496dadcb62492e2617f8ee7573a2c29f3e1a3a47b4e
                                                                                                                                                                                                                      • Instruction ID: 76cf7d756224fd9f56e8b400bb55f30166a62a0bbcc3e329ef32e9952a7a45a1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8f14552486478e7894aec496dadcb62492e2617f8ee7573a2c29f3e1a3a47b4e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 79210035E11212A7CB319F69FC44AAA37589B47770F260210F915A72D1DF70ED30C6D0
                                                                                                                                                                                                                      Function 002947BB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 002947C1
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 002947CF
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 002947E0
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                      • String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                                                                                                                                                                                      • API String ID: 667068680-1047828073
                                                                                                                                                                                                                      • Opcode ID: e32a0e604ff0a9776899bed9c8c2018759c5dec839faec8836209d1e0adc533a
                                                                                                                                                                                                                      • Instruction ID: 14d392e249a653ae1a6b2fd766b0f5bb4f760633a72a21bec71bbe6cb8e68aca
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e32a0e604ff0a9776899bed9c8c2018759c5dec839faec8836209d1e0adc533a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 27D0A7719262105F87205F70BC0DDC53FB4EA063413814252F801D21A0FB741500CB5A
                                                                                                                                                                                                                      Function 002A8F96 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: b2d14117bc2441d7c45b054ce6dfbb43703513586c4f9acae1239460dae4a2a6
                                                                                                                                                                                                                      • Instruction ID: 7e5160801c238ae9e8c2b46de2d54077cb0ec33b0e4deb6d671aaea3c42cf0e8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b2d14117bc2441d7c45b054ce6dfbb43703513586c4f9acae1239460dae4a2a6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 79B10670A2424AAFDF15DF9DD885BBD7BB5BF4B300F144298E8049B291CB7099A1CF60
                                                                                                                                                                                                                      Function 0029F2AC Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,0029F2A3,00294E61,002941CC), ref: 0029F2BA
                                                                                                                                                                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0029F2C8
                                                                                                                                                                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0029F2E1
                                                                                                                                                                                                                      • SetLastError.KERNEL32(00000000,0029F2A3,00294E61,002941CC), ref: 0029F333
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3852720340-0
                                                                                                                                                                                                                      • Opcode ID: 69391624d109973a5fefccc058228be18565377cd9c190b10308d3b2abb752a5
                                                                                                                                                                                                                      • Instruction ID: 037736c3ef1e82d28e6bfe0495b7b110fa4991a9c861d701e44ce64a844ba7c0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 69391624d109973a5fefccc058228be18565377cd9c190b10308d3b2abb752a5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5101B1326393525EEEA52BB8BD899AB2A84DF52379720033DF810850F1FF914C229654
                                                                                                                                                                                                                      Function 0029A53C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,AA0794DD,?,?,00000000,002B0244,000000FF,?,0029A5FD,0029A4E4,?,0029A699,00000000), ref: 0029A571
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0029A583
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,002B0244,000000FF,?,0029A5FD,0029A4E4,?,0029A699,00000000), ref: 0029A5A5
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                      • Opcode ID: 4656ab08f952377f3d57f92254a67a1e25cc1018f4e1ac2f63fe8eaa6dafa293
                                                                                                                                                                                                                      • Instruction ID: f3d2fcc24194a9b93b27b177324847980c1d087f4857a4a0820e74aa6b00cc57
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4656ab08f952377f3d57f92254a67a1e25cc1018f4e1ac2f63fe8eaa6dafa293
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 43018F71A10615AFCB128F54DC09FEEBBB8FB48B11F440625E815A22A0DB749A00CB91
                                                                                                                                                                                                                      Function 002A1BCD Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 002A1C52
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 002A1D1B
                                                                                                                                                                                                                      • __freea.LIBCMT ref: 002A1D82
                                                                                                                                                                                                                        • Part of subcall function 002A04C1: RtlAllocateHeap.NTDLL(00000000,?,?,?,0029119F,?,?,002831F2,00001000,?,0028313A), ref: 002A04F3
                                                                                                                                                                                                                      • __freea.LIBCMT ref: 002A1D95
                                                                                                                                                                                                                      • __freea.LIBCMT ref: 002A1DA2
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1423051803-0
                                                                                                                                                                                                                      • Opcode ID: e6d53ea0f0e158bbdfa6a3c051b3fe1ff4db7876ca4f1160c0a55f7cf9a71e3f
                                                                                                                                                                                                                      • Instruction ID: eb7135c25da19a8abc6ee50ade0428da480ca7d33ab71660ad04a39f2e1b7378
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e6d53ea0f0e158bbdfa6a3c051b3fe1ff4db7876ca4f1160c0a55f7cf9a71e3f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CF5184726206066FEF109E60CC81EBB7BAEEF46720F190529FD04D6155EF70DD708A60
                                                                                                                                                                                                                      Function 0029184C Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • __EH_prolog3.LIBCMT ref: 00291853
                                                                                                                                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0029185E
                                                                                                                                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 002918CC
                                                                                                                                                                                                                        • Part of subcall function 00291755: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0029176D
                                                                                                                                                                                                                      • std::locale::_Setgloballocale.LIBCPMT ref: 00291879
                                                                                                                                                                                                                      • _Yarn.LIBCPMT ref: 0029188F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1088826258-0
                                                                                                                                                                                                                      • Opcode ID: b37e1aafd931488de32a61cf550a2d6c2d89c8a397a6ed251d0e24bf9335345b
                                                                                                                                                                                                                      • Instruction ID: 6e2188eaf501f1362f6abc966a4962f7bd791d38fc3e6860da89e8e7b4cd2e08
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b37e1aafd931488de32a61cf550a2d6c2d89c8a397a6ed251d0e24bf9335345b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C101D475A102129BDF06EF61E8459BC7771BFC4340B554148E81157391EF346E72CF81
                                                                                                                                                                                                                      Function 002AAC01 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,002AAC9D,00000000,?,002BEFA0,?,?,?,002AABD4,00000004,InitializeCriticalSectionEx,002B4F0C,002B4F14), ref: 002AAC0E
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,002AAC9D,00000000,?,002BEFA0,?,?,?,002AABD4,00000004,InitializeCriticalSectionEx,002B4F0C,002B4F14,00000000,?,002A016C), ref: 002AAC18
                                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 002AAC40
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                      • String ID: api-ms-
                                                                                                                                                                                                                      • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                      • Opcode ID: 99c67ccab864be8b81d3a09384c4dd58e92b0e796d7ee859b72e27bd2eb2a657
                                                                                                                                                                                                                      • Instruction ID: 97f1f8fe43006218ea43317a25337cc2b66dd8360708ea88c910dd14ff18cfcb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 99c67ccab864be8b81d3a09384c4dd58e92b0e796d7ee859b72e27bd2eb2a657
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4BE01270690205BBEF101F50FC0AB693B59AF11B51F144021F90CA80E1DB61D960C646
                                                                                                                                                                                                                      Function 002A8366 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetConsoleOutputCP.KERNEL32(AA0794DD,00000000,00000000,?), ref: 002A83C9
                                                                                                                                                                                                                        • Part of subcall function 002A05D1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,002A1D78,?,00000000,-00000008), ref: 002A0632
                                                                                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 002A861B
                                                                                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 002A8661
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 002A8704
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2112829910-0
                                                                                                                                                                                                                      • Opcode ID: 0710d1df826cf3856eed1be3696c86edc7166c18f153d9eee5faac7e53db559e
                                                                                                                                                                                                                      • Instruction ID: 1d433c28572d4177bd39903eedc8c7d700f9f61e73cdaff7cc9d12d9980f12dc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0710d1df826cf3856eed1be3696c86edc7166c18f153d9eee5faac7e53db559e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CDD1AB75D102499FCF04CFA8D884AEDBBB9FF4A304F28452AE816EB351DA30A911CF50
                                                                                                                                                                                                                      Function 0029F84B Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AdjustPointer
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1740715915-0
                                                                                                                                                                                                                      • Opcode ID: 99cb4b5e0c537079764e62a160548e88ed7df9121c5d1fd7537e28737bf0525f
                                                                                                                                                                                                                      • Instruction ID: 93cf667f6e63231bd2dc1dfec341991f3e852fa13c5b9c82c05920a542c01361
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 99cb4b5e0c537079764e62a160548e88ed7df9121c5d1fd7537e28737bf0525f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5E51EC72A24202AFEFA99F10DA41BAEB3A4FF04314F14053DE805C72A1D731ECA0CB90
                                                                                                                                                                                                                      Function 002A6192 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 002A05D1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,002A1D78,?,00000000,-00000008), ref: 002A0632
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 002A61F6
                                                                                                                                                                                                                      • __dosmaperr.LIBCMT ref: 002A61FD
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 002A6237
                                                                                                                                                                                                                      • __dosmaperr.LIBCMT ref: 002A623E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1913693674-0
                                                                                                                                                                                                                      • Opcode ID: 6e7a744908e687bf62967a4a210d44e67bd52fb492fe58cc9825619a54e59174
                                                                                                                                                                                                                      • Instruction ID: b02841d0d3363437f8d2fe026af02107ae573219e89836c335c11ff5802a67bc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6e7a744908e687bf62967a4a210d44e67bd52fb492fe58cc9825619a54e59174
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A221C871620316AF9F20AF65C88592BBBADFF823647148518FD1997241DF34EC208F90
                                                                                                                                                                                                                      Function 002972A2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7fdd58df4a024b07d71dce17b4d333bb97fefa69e5ef0d05910f44b6c8abe6df
                                                                                                                                                                                                                      • Instruction ID: aecaa365c41f968399378f2528453265d042e180f2f53478b48226ecb8bfe8c6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7fdd58df4a024b07d71dce17b4d333bb97fefa69e5ef0d05910f44b6c8abe6df
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8121A171638206AF9F20AF65DC81D6A77ACFF40764B104659FC1997251E730EC209BA4
                                                                                                                                                                                                                      Function 002A7588 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 002A7590
                                                                                                                                                                                                                        • Part of subcall function 002A05D1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,002A1D78,?,00000000,-00000008), ref: 002A0632
                                                                                                                                                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002A75C8
                                                                                                                                                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002A75E8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 158306478-0
                                                                                                                                                                                                                      • Opcode ID: f5f1ec21190af46adc1820d99b0065856c19e7ec9e4318877bf888282f501852
                                                                                                                                                                                                                      • Instruction ID: 48a515f177a56deaa0f6aa1e9a972a8588a1ec48e1d73be1a557755694c1cc06
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f5f1ec21190af46adc1820d99b0065856c19e7ec9e4318877bf888282f501852
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E41144F1D256167FA6212BB96CCDD6F7A6CEE5B3987500424F901D1001FE64DE204ABD
                                                                                                                                                                                                                      Function 0029328F Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • __EH_prolog3.LIBCMT ref: 00293296
                                                                                                                                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 002932A0
                                                                                                                                                                                                                        • Part of subcall function 00284360: std::_Lockit::_Lockit.LIBCPMT ref: 0028438E
                                                                                                                                                                                                                        • Part of subcall function 00284360: std::_Lockit::~_Lockit.LIBCPMT ref: 002843B9
                                                                                                                                                                                                                      • codecvt.LIBCPMT ref: 002932DA
                                                                                                                                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00293311
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3716348337-0
                                                                                                                                                                                                                      • Opcode ID: 3e8dc7d38d6bf3231ad7e7441791eca9a1066a005a3d0cc71372a4f9d9332681
                                                                                                                                                                                                                      • Instruction ID: 158c88bf46e3ac6e88c57d2225fdbd2c5905e0a7f2bf2a8d51c0b335d514c135
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3e8dc7d38d6bf3231ad7e7441791eca9a1066a005a3d0cc71372a4f9d9332681
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9401C035E2021A9BCF01FBA0D845AEE77B5AF90710F660149F812AB2D1DF709E21CF81
                                                                                                                                                                                                                      Function 002AF0B0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,002AE59F,00000000,00000001,?,?,?,002A8758,?,00000000,00000000), ref: 002AF0C7
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,002AE59F,00000000,00000001,?,?,?,002A8758,?,00000000,00000000,?,?,?,002A809E,?), ref: 002AF0D3
                                                                                                                                                                                                                        • Part of subcall function 002AF124: CloseHandle.KERNEL32(FFFFFFFE,002AF0E3,?,002AE59F,00000000,00000001,?,?,?,002A8758,?,00000000,00000000,?,?), ref: 002AF134
                                                                                                                                                                                                                      • ___initconout.LIBCMT ref: 002AF0E3
                                                                                                                                                                                                                        • Part of subcall function 002AF105: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,002AF0A1,002AE58C,?,?,002A8758,?,00000000,00000000,?), ref: 002AF118
                                                                                                                                                                                                                      • WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,002AE59F,00000000,00000001,?,?,?,002A8758,?,00000000,00000000,?), ref: 002AF0F8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2744216297-0
                                                                                                                                                                                                                      • Opcode ID: 5f0983dec88ca064f7d8dca70eeeb17208492d1fd10942d7a25afdd74c9acdcb
                                                                                                                                                                                                                      • Instruction ID: df418052c2557e24957f92c35a22347bcab72ffe8a17c01b1011d95ed20bc231
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5f0983dec88ca064f7d8dca70eeeb17208492d1fd10942d7a25afdd74c9acdcb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3BF0AC36510115BBCF621FD5ED089993F6AFB093A1B164520FA1D95120DA369920AF91
                                                                                                                                                                                                                      Function 00294C10 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00294C22
                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00294C31
                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00294C3A
                                                                                                                                                                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00294C47
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2933794660-0
                                                                                                                                                                                                                      • Opcode ID: ab3a9931ad1c7f1ebe03f2ef9e2a0f690fc403867e0b337d78399546b5037dbb
                                                                                                                                                                                                                      • Instruction ID: b92d610e3066a9549a3d5f865d87180bad352bd627efdef93b0c08c401782719
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ab3a9931ad1c7f1ebe03f2ef9e2a0f690fc403867e0b337d78399546b5037dbb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 24F06274D1020DEBCB00DBB4D94999EBBF8FF1C304B914A95A412E7110E734AB449F51
                                                                                                                                                                                                                      Function 002A4D72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 002A0713: GetLastError.KERNEL32(00000000,?,002A2A49), ref: 002A0717
                                                                                                                                                                                                                        • Part of subcall function 002A0713: SetLastError.KERNEL32(00000000,?,?,00000028,0029D2C9), ref: 002A07B9
                                                                                                                                                                                                                      • GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,0029AB4D,?,?,?,00000055,?,-00000050,?,?,?), ref: 002A4E31
                                                                                                                                                                                                                      • IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,0029AB4D,?,?,?,00000055,?,-00000050,?,?), ref: 002A4E68
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLast$CodePageValid
                                                                                                                                                                                                                      • String ID: utf8
                                                                                                                                                                                                                      • API String ID: 943130320-905460609
                                                                                                                                                                                                                      • Opcode ID: 6e0be9cf3e0980904fc8aff4722ab2993692328d386d1c6177c49345e091d6c3
                                                                                                                                                                                                                      • Instruction ID: f17cae4ba0b37a702618759e56c3deb6974e64ab58236dfb6d3730531674d6c6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6e0be9cf3e0980904fc8aff4722ab2993692328d386d1c6177c49345e091d6c3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3551B631A20602AFDB257F348C82BA673A8BFC7740F14442AF905D7581EFF0E9648A61
                                                                                                                                                                                                                      Function 0029FF48 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,0029FE49,?,?,00000000,00000000,00000000,?), ref: 0029FF6D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: EncodePointer
                                                                                                                                                                                                                      • String ID: MOC$RCC
                                                                                                                                                                                                                      • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                      • Opcode ID: b3b8d466058c4154f8175cee1ff82c511756e7114347bdb738399b3ec931c67a
                                                                                                                                                                                                                      • Instruction ID: c2999d9e3c4c455955c0593c5bcf6082ae48f636a249b34a07ff1c63245fbbec
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b3b8d466058c4154f8175cee1ff82c511756e7114347bdb738399b3ec931c67a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F1414C7291010AAFCF16DF94CD81AEEBBB5FF49300F148169F904A7261D735A9A0DF51
                                                                                                                                                                                                                      Function 0029F7B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 0029FA2B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___except_validate_context_record
                                                                                                                                                                                                                      • String ID: csm$csm
                                                                                                                                                                                                                      • API String ID: 3493665558-3733052814
                                                                                                                                                                                                                      • Opcode ID: f3c6628e729c1d0a351a79d8ff6a3b27bb67afee4ee5648c2ccb5d49cc8bfca3
                                                                                                                                                                                                                      • Instruction ID: f9a609b68c9de889e022f8d7ac91e4e17316da10902abb769026c01f059e48b4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f3c6628e729c1d0a351a79d8ff6a3b27bb67afee4ee5648c2ccb5d49cc8bfca3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7A31C6726202159BCFE29F50DE649AA7B65FF0C319B188179FC48CA221D332CDB1DB91
                                                                                                                                                                                                                      Function 00291F82 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 0029200A
                                                                                                                                                                                                                      • RaiseException.KERNEL32(?,?,?,?), ref: 0029202F
                                                                                                                                                                                                                        • Part of subcall function 00294D23: RaiseException.KERNEL32(E06D7363,00000001,00000003,00293ADE,?,?,?,?,00293ADE,00001000,002BAE2C,00001000), ref: 00294D84
                                                                                                                                                                                                                        • Part of subcall function 0029D2B9: IsProcessorFeaturePresent.KERNEL32(00000017,00297E7B,?,?,?,?,00000000), ref: 0029D2D5
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
                                                                                                                                                                                                                      • String ID: csm
                                                                                                                                                                                                                      • API String ID: 1924019822-1018135373
                                                                                                                                                                                                                      • Opcode ID: 4fa57d41a27ebcf969e1d76b22b9fea3f946f95d429c67ff0b30f5156a2865b0
                                                                                                                                                                                                                      • Instruction ID: 7b513da8d16cd0f538939970f01237b22ff9ceae4794281e6724590b6d7d4a1d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4fa57d41a27ebcf969e1d76b22b9fea3f946f95d429c67ff0b30f5156a2865b0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0D21CF31D1021DEBCF25DFA9D9859EEB3B8FF14710F14441AE949AB250E730AE69CB80
                                                                                                                                                                                                                      Function 00291670 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Yarn
                                                                                                                                                                                                                      • String ID: =n+
                                                                                                                                                                                                                      • API String ID: 1767336200-2217742520
                                                                                                                                                                                                                      • Opcode ID: a917543aa280aa1a399b608f64cf5f6c3ec492a9938613d32fc6e60a76136a67
                                                                                                                                                                                                                      • Instruction ID: 15972d6de72d7e329f585558c2c253ec5b74782653c68235224ced7f032f4c7b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a917543aa280aa1a399b608f64cf5f6c3ec492a9938613d32fc6e60a76136a67
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C3E065327182056BEF18AA67DC12FB637DCDF407A0F14012DF90A8A5C1ED50EC208A54
                                                                                                                                                                                                                      Function 002919F9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleExW.KERNEL32(00000002,00000000,(,?,?,002919BC,?,?,0029198D,?,?,?,0028E1E1), ref: 00291A05
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.1915944674.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1915919288.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916008251.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916027196.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916048622.00000000002BD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916098386.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916123468.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000000.00000002.1916164445.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                                                                      • String ID: MZx$(
                                                                                                                                                                                                                      • API String ID: 4139908857-1019860307
                                                                                                                                                                                                                      • Opcode ID: 45fc37521652e0e48d57e6e0077a5d633c73fb6df6af4e8cc580649641a131e3
                                                                                                                                                                                                                      • Instruction ID: fd53bda7c8073c1c9e90fdfa958dc2904b22b715fc5ab6d365756e8e34fa86a1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 45fc37521652e0e48d57e6e0077a5d633c73fb6df6af4e8cc580649641a131e3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E1D02B31721205F6DF108B519C0FFDE72EC8B04795F2004549101D50C0C2B0CF54D210

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:1.3%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                      Signature Coverage:34.7%
                                                                                                                                                                                                                      Total number of Nodes:49
                                                                                                                                                                                                                      Total number of Limit Nodes:3
                                                                                                                                                                                                                      execution_graph 33598 4331a2 33600 4331c2 33598->33600 33601 4331ff 33600->33601 33602 439af0 LdrInitializeThunk 33600->33602 33602->33600 33603 439be8 33604 439c00 33603->33604 33607 439cde 33604->33607 33610 439af0 LdrInitializeThunk 33604->33610 33606 43a082 33607->33606 33611 439af0 LdrInitializeThunk 33607->33611 33609 43a154 33610->33607 33611->33609 33563 408690 33565 40869f 33563->33565 33564 40897b ExitProcess 33565->33564 33617 4380f3 33620 43b250 33617->33620 33619 4380f8 RtlFreeHeap 33621 43b270 33620->33621 33621->33619 33621->33621 33571 43c050 33573 43c070 33571->33573 33572 43c16e 33575 43c0c8 33573->33575 33577 439af0 LdrInitializeThunk 33573->33577 33575->33572 33578 439af0 LdrInitializeThunk 33575->33578 33577->33575 33578->33572 33622 4380b0 33623 4380b6 RtlAllocateHeap 33622->33623 33579 433f96 33583 43b5e0 33579->33583 33581 433fae GetUserDefaultUILanguage 33582 433fe0 33581->33582 33584 43b610 33583->33584 33584->33584 33624 439ab6 33625 43b250 33624->33625 33626 439abb RtlReAllocateHeap 33625->33626 33627 439ae0 33626->33627 33585 43a55a 33587 43a564 33585->33587 33586 43a63e 33590 439af0 LdrInitializeThunk 33586->33590 33587->33586 33591 439af0 LdrInitializeThunk 33587->33591 33590->33586 33591->33586 33628 439e7d 33630 439e90 33628->33630 33629 439ede 33630->33629 33632 439af0 LdrInitializeThunk 33630->33632 33632->33629 33592 43a01c 33594 43a01e 33592->33594 33593 43a082 33594->33593 33597 439af0 LdrInitializeThunk 33594->33597 33596 43a154 33597->33596

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 00439BE8 Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 9 439be8-439bfb 10 439c00-439c71 9->10 10->10 11 439c73-439c8f 10->11 12 439c90-439cb5 11->12 12->12 13 439cb7-439cbf 12->13 14 439cc1-439ccf 13->14 15 439cf7-43a029 13->15 16 439cd0-439cd7 14->16 20 43a030-43a055 15->20 18 439ce0-439ce6 16->18 19 439cd9-439cdc 16->19 18->15 22 439ce8-439cef call 439af0 18->22 19->16 21 439cde 19->21 20->20 23 43a057-43a05f 20->23 21->15 28 439cf4 22->28 25 43a065-43a06a 23->25 26 43a11b-43a139 23->26 29 43a070-43a077 25->29 33 43a13e 26->33 28->15 30 43a110-43a116 29->30 31 43a07d-43a080 29->31 34 43a145-43a14f call 439af0 30->34 35 43a118 30->35 31->29 32 43a082 31->32 32->35 33->33 37 43a154-43a17a 34->37 35->26
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID: nq[P$rq[P
                                                                                                                                                                                                                      • API String ID: 2994545307-2909691123
                                                                                                                                                                                                                      • Opcode ID: 6284779297c15d92aad6113c9a59f44f615f4a62402be2677d1ef626f2a7c62b
                                                                                                                                                                                                                      • Instruction ID: b607d9503db8f49fc5eb3f4a9d08a94e19dddf56f676e5841e6c9b2ad61a41b1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6284779297c15d92aad6113c9a59f44f615f4a62402be2677d1ef626f2a7c62b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A451E536E501558FDB18CF28CC815BEB763FBC9310F2A5269D592A7356CB78AC02C798
                                                                                                                                                                                                                      Function 00408690 Relevance: 1.7, APIs: 1, Instructions: 245COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ExitProcess.KERNEL32(00000000), ref: 0040897D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExitProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 621844428-0
                                                                                                                                                                                                                      • Opcode ID: 136d881544a2c7f1eb5d7367689f2f39444c52998d38312927c5dd3fbafc190d
                                                                                                                                                                                                                      • Instruction ID: a3c9cdf773126fedba7df58947f448d54cdc7de01630728f9ef541fa2631cfdd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 136d881544a2c7f1eb5d7367689f2f39444c52998d38312927c5dd3fbafc190d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 39714873F047105BC318EF6DCD4236AB6D6ABC4714F1E813EA899EB3D5E9788C058685
                                                                                                                                                                                                                      Function 00439AF0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 81 439af0-439b22 LdrInitializeThunk
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LdrInitializeThunk.NTDLL(0043BC68,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00439B1E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                      • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                                                                                                                                      Function 0043A55A Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 158 43a55a-43a56c call 439450 161 43a591-43a5e1 158->161 162 43a56e-43a573 158->162 164 43a5f0-43a615 161->164 163 43a580-43a58f 162->163 163->161 163->163 164->164 165 43a617-43a61e 164->165 166 43a6a1-43a6b3 call 439450 165->166 167 43a624-43a62f 165->167 173 43a6d1-43a71f 166->173 174 43a6b5-43a6ba 166->174 169 43a630-43a637 167->169 171 43a640-43a646 169->171 172 43a639-43a63c 169->172 171->166 176 43a648-43a661 call 439af0 171->176 172->169 175 43a63e 172->175 178 43a720-43a745 173->178 177 43a6c0-43a6cf 174->177 175->166 176->166 177->173 177->177 178->178 181 43a747-43a752 178->181 182 43a670-43a69c 181->182 183 43a758-43a75a 181->183 182->166 184 43a760-43a767 183->184 185 43a780-43a786 184->185 186 43a769-43a76c 184->186 185->182 187 43a78c-43a79d call 439af0 185->187 186->184 188 43a76e 186->188 190 43a7a2-43a7a5 187->190 188->182 190->182
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 165ce531d4ef642d5d1eb005d4b78d7438d0aee2ceb65d8f42d6d114adf30906
                                                                                                                                                                                                                      • Instruction ID: 8ca1db712a8936c7bbe518f80726e82080a1a7cbdad8fa7e82843f49716c0d50
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 165ce531d4ef642d5d1eb005d4b78d7438d0aee2ceb65d8f42d6d114adf30906
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E951F1706502118FDB18CF64C862B7AB7B2FF99314F09916DD0819B3A1E379C811CB89
                                                                                                                                                                                                                      Function 00439F2D Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 1f5a67ce6aa6379d798783bf794e502b8216415052f7ec47ae8ae9f1f86cc681
                                                                                                                                                                                                                      • Instruction ID: 4e15c756d994f331d68d7bacd99d09935940be0335b617cdea25940d6d1f2630
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1f5a67ce6aa6379d798783bf794e502b8216415052f7ec47ae8ae9f1f86cc681
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BA21E735A545159BDB14CF54CC42B7EB3B2FB89314F299264E411B72D8D7B9AC02CB88
                                                                                                                                                                                                                      Function 00433F96 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 75 433f96-433fde call 43b5e0 GetUserDefaultUILanguage 78 433fe0-433fe3 75->78 79 434010-434041 78->79 80 433fe5-43400e 78->80 80->78
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetUserDefaultUILanguage.KERNELBASE ref: 00433FB6
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: DefaultLanguageUser
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 95929093-0
                                                                                                                                                                                                                      • Opcode ID: 0c41732d260e835f0839e037d9c9b565d1984ff467e7ab0e3f060bde0e320e6c
                                                                                                                                                                                                                      • Instruction ID: 0d691ce279b3d867aec707fb82a73fbe2ffcd24f6e30827802c13aed013c9372
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0c41732d260e835f0839e037d9c9b565d1984ff467e7ab0e3f060bde0e320e6c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D411C435A063848FD715CF79D894B98BFF19F5A300F0980DDD445973A2CA745A44DB22
                                                                                                                                                                                                                      Function 00439AB6 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 82 439ab6-439ac8 call 43b250 RtlReAllocateHeap 85 439ae0-439ae2 82->85
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlReAllocateHeap.NTDLL(?,00000000), ref: 00439AC2
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                                                                      • Opcode ID: 6bfb9734ed57ce0f3447567262144bb0c239ecc5af525e294061333a46c12a5e
                                                                                                                                                                                                                      • Instruction ID: 195ea5378b4211f4488e35c1581176f060d5432bd187ca494063fd25216283c4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6bfb9734ed57ce0f3447567262144bb0c239ecc5af525e294061333a46c12a5e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1CB09B3514805067D5142715BC0DF8B6F24DFC5751F1012B7F2015407546655881D59C
                                                                                                                                                                                                                      Function 004380B0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 86 4380b0-4380ba RtlAllocateHeap
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlAllocateHeap.NTDLL(?,00000000,?,?,00000000), ref: 004380BA
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                                                                      • Opcode ID: dfa9bcdcf4992effd9ebc96b3b68172bd96eb1e6feaa9f1728678ead5c2ba133
                                                                                                                                                                                                                      • Instruction ID: 619cd3f0a1d579054a44b95f095a6da8aabd5bd483f4f5c16aff5eb9f323e829
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dfa9bcdcf4992effd9ebc96b3b68172bd96eb1e6feaa9f1728678ead5c2ba133
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B7B00234145515B9E57117115CD5F7F1D6CDF43E9DF600054B208180D146545442D57D
                                                                                                                                                                                                                      Function 004380F3 Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 88 4380f3-438105 call 43b250 RtlFreeHeap
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlFreeHeap.NTDLL(?,00000000), ref: 004380FE
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeHeap
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3298025750-0
                                                                                                                                                                                                                      • Opcode ID: e1e10fe9efff281f5ff51a9d723dbbd7af2ed098d80cef64a20feb2d9ca161ab
                                                                                                                                                                                                                      • Instruction ID: 7819ff3d06509e8342e432a01b3300ba2fcbd0b48a11999bf07549068c8c729b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e1e10fe9efff281f5ff51a9d723dbbd7af2ed098d80cef64a20feb2d9ca161ab
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 61B01234085010AAD5103B11BC0DFCB7F10EF45311F0140E2B200640B287615841C9CC

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 004298A0 Relevance: 12.7, Strings: 10, Instructions: 245COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: NV[K$UAPS$UXWZ$VM$VQlJ$h$mtwz$n$rrip$tYCZ
                                                                                                                                                                                                                      • API String ID: 0-3331790720
                                                                                                                                                                                                                      • Opcode ID: 23847872f2627ba97969ec9efbc11b36efa7c93efb836e547c5bc3453f7e3632
                                                                                                                                                                                                                      • Instruction ID: 7741a0428823d80e118f5df9010b1c44a856e0838fbdef6cf153a24b4129b43b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 23847872f2627ba97969ec9efbc11b36efa7c93efb836e547c5bc3453f7e3632
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0381E0B150D3E18BE331CF25A0907ABBFE1AB96340F28496DC5DD5B342C7791805CB9A
                                                                                                                                                                                                                      Function 00415CFC Relevance: 11.5, Strings: 9, Instructions: 270COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: C>X0$D$D"A$$J6EH$MN$P&@8$]*N,$^:B<$xYw[
                                                                                                                                                                                                                      • API String ID: 0-3292156457
                                                                                                                                                                                                                      • Opcode ID: c6d5bb265bdb93c89c28a49cddbc124b38db168f9fe5d0d1307b72b25f450001
                                                                                                                                                                                                                      • Instruction ID: ad70754358f75f96f89e5d5f4c9addb1857235af53de9c673c40fbd92a9384dd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c6d5bb265bdb93c89c28a49cddbc124b38db168f9fe5d0d1307b72b25f450001
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 43917AB0108340CFD3248F14C4A1BABBBF1FF86359F458A5DE4894F2A1E3798946CB5A
                                                                                                                                                                                                                      Function 00419490 Relevance: 11.4, Strings: 8, Instructions: 1409COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID: DCBA$DCBA$DCBA$[\$5Zl$5Zl$Z\$^P
                                                                                                                                                                                                                      • API String ID: 2994545307-3151724278
                                                                                                                                                                                                                      • Opcode ID: ab693a78d0b19306fe809804e87f005d828ab756b41879f79a1b5e553287b66c
                                                                                                                                                                                                                      • Instruction ID: 30ab7f929d8a07dc3d8873c68d2278d649e136490da9de6a5d43bf32cd8d4692
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ab693a78d0b19306fe809804e87f005d828ab756b41879f79a1b5e553287b66c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1892A8316493409BD720CF64C8857AFB7E2FBD5300F18856EE5859B391D3B99C82CB9A
                                                                                                                                                                                                                      Function 00417CE5 Relevance: 8.9, Strings: 7, Instructions: 151COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: L$d"d$$l2r4$m:i<$|&t8$Z\$^P
                                                                                                                                                                                                                      • API String ID: 0-1724584702
                                                                                                                                                                                                                      • Opcode ID: fb70b4c9c05101007d508a61fb3708714a996244607e1c5ef3b49211955d8373
                                                                                                                                                                                                                      • Instruction ID: 2a9502ae1b22e79b802cbd78b7a1b8f54dc075db748f69bc6e5fa1cfc8ef5e0c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fb70b4c9c05101007d508a61fb3708714a996244607e1c5ef3b49211955d8373
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F6134B29093908BD335CF5684923EBBAE2EBD9304F58892DC4CD6B355D7384552CB8B
                                                                                                                                                                                                                      Function 002A5DD3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,002A57A4,?,00000000), ref: 002A5E6C
                                                                                                                                                                                                                      • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,002A57A4,?,00000000), ref: 002A5E95
                                                                                                                                                                                                                      • GetACP.KERNEL32(?,?,002A57A4,?,00000000), ref: 002A5EAA
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InfoLocale
                                                                                                                                                                                                                      • String ID: ACP$OCP
                                                                                                                                                                                                                      • API String ID: 2299586839-711371036
                                                                                                                                                                                                                      • Opcode ID: 58cf146ade97771d323d5cb0a121fa81e6638fb7ed754fbe1589c97cc0155331
                                                                                                                                                                                                                      • Instruction ID: 80ba4f8dca4757c2e8fd80fdefb92feb2e3a241a19eb7caceb69c052618ae2ea
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 58cf146ade97771d323d5cb0a121fa81e6638fb7ed754fbe1589c97cc0155331
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 59217731A30922ABDB348F64CB04A9773E6EF56F54B568424E906D7100EF32DF60C750
                                                                                                                                                                                                                      Function 002A566E Relevance: 7.7, APIs: 5, Instructions: 182COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 002A0713: GetLastError.KERNEL32(00000000,?,002A2A49), ref: 002A0717
                                                                                                                                                                                                                        • Part of subcall function 002A0713: SetLastError.KERNEL32(00000000,?,?,00000028,0029D2C9), ref: 002A07B9
                                                                                                                                                                                                                      • GetUserDefaultLCID.KERNEL32 ref: 002A5776
                                                                                                                                                                                                                      • IsValidCodePage.KERNEL32(00000000), ref: 002A57B4
                                                                                                                                                                                                                      • IsValidLocale.KERNEL32(?,00000001), ref: 002A57C7
                                                                                                                                                                                                                      • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 002A580F
                                                                                                                                                                                                                      • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 002A582A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 415426439-0
                                                                                                                                                                                                                      • Opcode ID: fd00c67a19dd8de18aa144755e499f8d8cf2653d1f45a106acbe0e420afcad4a
                                                                                                                                                                                                                      • Instruction ID: 8990a40712ca46a8590bdcfa2988e59c2acc19414e11e434ceb2b173e163b835
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fd00c67a19dd8de18aa144755e499f8d8cf2653d1f45a106acbe0e420afcad4a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 96518F71A20A2AEFDF10DFA4CC45ABFB7B8BF06700F140469A911E7191EF709964CB61
                                                                                                                                                                                                                      Function 0040E2D5 Relevance: 6.9, Strings: 5, Instructions: 606COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: ";G$d<$l$nv$tr
                                                                                                                                                                                                                      • API String ID: 0-995644117
                                                                                                                                                                                                                      • Opcode ID: 8677d267741a8d6fd2b04c2b67c7019589f9450b38e70caaeb5818bcc74a52c9
                                                                                                                                                                                                                      • Instruction ID: df48264671a07a49878f384e58ab6bb208ea46f082ef2c8c8ba53de654e0de4f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8677d267741a8d6fd2b04c2b67c7019589f9450b38e70caaeb5818bcc74a52c9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1612AE7550D3D08BD3328F2688906EBBFE1ABD7304F184A6DD4C95B392C73A5909CB96
                                                                                                                                                                                                                      Function 0029E930 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 940c0e5d6642d71f3349d6853f9f47a4d852d201499cf18fcd482ab34cbb11e5
                                                                                                                                                                                                                      • Instruction ID: 966ac958192db1eff66fa9f72f85b7e7961936e70acbd51ffaf6332c8a346f2d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 940c0e5d6642d71f3349d6853f9f47a4d852d201499cf18fcd482ab34cbb11e5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B7023B71E1121A9BDF14CFA8D880AAEFBF5FF48314F25826AD519A7340D731AA51CB90
                                                                                                                                                                                                                      Function 002A63B5 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002A64A5
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileFindFirst
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1974802433-0
                                                                                                                                                                                                                      • Opcode ID: 3b0f891644d1c17afe1cf3f39f4e456e029fe970e57a956c4a0d8c001f728b3d
                                                                                                                                                                                                                      • Instruction ID: 9293268dfa024d1e238b9454a38b24072c212b81486a977c268916cbc04db909
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3b0f891644d1c17afe1cf3f39f4e456e029fe970e57a956c4a0d8c001f728b3d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0E71F8B1D151599FDF30AF388C8DAAEBBB9EB06300F5841D9E04997111DF354EA58F10
                                                                                                                                                                                                                      Function 00294073 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0029407F
                                                                                                                                                                                                                      • IsDebuggerPresent.KERNEL32 ref: 0029414B
                                                                                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00294164
                                                                                                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 0029416E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 254469556-0
                                                                                                                                                                                                                      • Opcode ID: bbb6007e6c0402ada64d36e18123536c610272defe1dbf78e9b3deb6d5687564
                                                                                                                                                                                                                      • Instruction ID: eeeafd860bbaafec534604f096912d8b38ce69e26caeb91c19aa0246155a73b8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bbb6007e6c0402ada64d36e18123536c610272defe1dbf78e9b3deb6d5687564
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71310AB5D112199BDF20EFA4D94DBCDBBB8AF08300F1041AAE50DAB250E7719B858F85
                                                                                                                                                                                                                      Function 0041D6F0 Relevance: 5.9, Strings: 4, Instructions: 866COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $&=",$)${yrs
                                                                                                                                                                                                                      • API String ID: 0-1254945749
                                                                                                                                                                                                                      • Opcode ID: d40627908e96dda92a4d965530751face9949d40852ba6946d5ffca92c465dbb
                                                                                                                                                                                                                      • Instruction ID: 81033180e824efb6238312a03b4fd97b2519aaf2c39ab56ec81eecc0e62b379a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d40627908e96dda92a4d965530751face9949d40852ba6946d5ffca92c465dbb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EB52367590C3908FC725CF25C8807AFBBE1AF96304F08856EE8D55B392D739894ACB56
                                                                                                                                                                                                                      Function 004389F0 Relevance: 5.6, Strings: 4, Instructions: 626COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID: +[J;$DCBA$DCBA$f
                                                                                                                                                                                                                      • API String ID: 2994545307-979426530
                                                                                                                                                                                                                      • Opcode ID: b779821aa48d1f537e0a5818c19115795b1aac73c8baaf1e0f495c05489447a5
                                                                                                                                                                                                                      • Instruction ID: 6e64e34dcd31ac6d1c56d3237c8ca23546036134a602b87600847ab7c5b3d5d6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b779821aa48d1f537e0a5818c19115795b1aac73c8baaf1e0f495c05489447a5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A912F3716083418BC718CF29C89072BB7E2FBD9314F189A6EF49597391DB79ED018B86
                                                                                                                                                                                                                      Function 00435E40 Relevance: 5.4, Strings: 4, Instructions: 437COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: DCBA$DCBA$DCBA$DCBA
                                                                                                                                                                                                                      • API String ID: 0-1380943437
                                                                                                                                                                                                                      • Opcode ID: 1fad232efbf2104744d23570844e905b283685d5ef7122856a7b502bd80bc565
                                                                                                                                                                                                                      • Instruction ID: db2459913d76577c8d131428bae0f0046f550a55b2fe272ecb3189ba83e80acf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1fad232efbf2104744d23570844e905b283685d5ef7122856a7b502bd80bc565
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6AC113316083119BD710DF50C881B2BF7E2EB89714F16A97EE98567382D7799C018BAA
                                                                                                                                                                                                                      Function 0042A03C Relevance: 5.4, Strings: 4, Instructions: 413COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 5+$)'->$Yysw$p.
                                                                                                                                                                                                                      • API String ID: 0-3271381888
                                                                                                                                                                                                                      • Opcode ID: 7bc9d37edc3057e610e15797e311d901a77cf4983808ab4ed45449bae220d780
                                                                                                                                                                                                                      • Instruction ID: a0bfec2fd4801fa297db708dd0ce194928d6281eb9dfd43985bf1e531d4ceda7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7bc9d37edc3057e610e15797e311d901a77cf4983808ab4ed45449bae220d780
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 63B1013050C3D18BD7358F3998A17ABBBD19F97314F5888AED5C98B382D779400A8B67
                                                                                                                                                                                                                      Function 00409270 Relevance: 5.4, Strings: 4, Instructions: 375COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: ",*"$%!+!$1<7n$jrj-
                                                                                                                                                                                                                      • API String ID: 0-1366688494
                                                                                                                                                                                                                      • Opcode ID: c6c5228e0b3d99bb4fe49e8e5f77b92791fa7544ae884492db604a47cca9ae8e
                                                                                                                                                                                                                      • Instruction ID: cbffaeedfb35219c005300c1b01725cc43cf78952604f74f2e29baaef4c71618
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c6c5228e0b3d99bb4fe49e8e5f77b92791fa7544ae884492db604a47cca9ae8e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 73A1E47124C3919AC316CF3994A07ABFFE09F97304F48496DE4D55B382D339890AC7AA
                                                                                                                                                                                                                      Function 0040C830 Relevance: 5.3, Strings: 4, Instructions: 294COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: <=$<=$LGHI$CIE
                                                                                                                                                                                                                      • API String ID: 0-1119745755
                                                                                                                                                                                                                      • Opcode ID: 0bcdece6d7876d8268f25a05d73a559a7a36f50d7a9f8c677ce4e34470149156
                                                                                                                                                                                                                      • Instruction ID: 32d4a041f101078bd4bc94fa57d7e14e415041f5642be7670513e9c8a07ffdec
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0bcdece6d7876d8268f25a05d73a559a7a36f50d7a9f8c677ce4e34470149156
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D591BCB594E3D08BD3358F2598913DBBBE1EBDA314F184A6DC4C95B382C7394506CB8A
                                                                                                                                                                                                                      Function 0040DCA0 Relevance: 4.1, Strings: 3, Instructions: 314COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 9=$@bq$@bq
                                                                                                                                                                                                                      • API String ID: 0-316456066
                                                                                                                                                                                                                      • Opcode ID: 4b36ef43714d28ad1f96cd5d61569cb86c358b0dad2be6ab9e68dc04d3e0e56c
                                                                                                                                                                                                                      • Instruction ID: 35755ea2fee2548ef166cf2072f2c04e5b5edc333876189fadc4d885ac75e1d3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4b36ef43714d28ad1f96cd5d61569cb86c358b0dad2be6ab9e68dc04d3e0e56c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 10918D35A083514BC3249B25C8517EFBBE2EFDA314F08CA3DD4C9A7382DA785805879B
                                                                                                                                                                                                                      Function 0042A80B Relevance: 3.9, Strings: 3, Instructions: 110COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID: <#:Z$DCBA$IO{B
                                                                                                                                                                                                                      • API String ID: 2994545307-3001781657
                                                                                                                                                                                                                      • Opcode ID: eb4e246fcae7f77e475b20ab0a4315972cd4437c3f998053f4b5719bcf771401
                                                                                                                                                                                                                      • Instruction ID: e8f0e9b6a8d6456f061768eb9e0068afe562bbdc9d967e798bf7ba60a950b8bf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eb4e246fcae7f77e475b20ab0a4315972cd4437c3f998053f4b5719bcf771401
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 133169746083918FD7248B35A861B7BFBE0EF93304F58196CD0CA97293D3354812870E
                                                                                                                                                                                                                      Function 004253A0 Relevance: 2.8, Strings: 2, Instructions: 265COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID: 36;$DCBA
                                                                                                                                                                                                                      • API String ID: 2994545307-4072228999
                                                                                                                                                                                                                      • Opcode ID: 846f1ea104b691330629432e4b6e43d1e5b34a174913de7ac9d48f18eb5c0a97
                                                                                                                                                                                                                      • Instruction ID: 9bf3ba9eda82bb025300ab767993d6347617181220c3ac0ccfdd0acfe32fd49b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 846f1ea104b691330629432e4b6e43d1e5b34a174913de7ac9d48f18eb5c0a97
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E2717D70B047205BD7149F24EC8273BB3A2EF81318F98943EE58687356E67C9C46835E
                                                                                                                                                                                                                      Function 004221FE Relevance: 2.6, Strings: 2, Instructions: 78COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: DCBA$DCBA
                                                                                                                                                                                                                      • API String ID: 0-1149900676
                                                                                                                                                                                                                      • Opcode ID: bf2593e8229e15667b3473caa24e4bb517f1db4510249c2af4b596899cd6d0a2
                                                                                                                                                                                                                      • Instruction ID: c2cd78a5a671f5814b5098cc66df09531db8575d81d7b2bfa9de18193e7548bb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bf2593e8229e15667b3473caa24e4bb517f1db4510249c2af4b596899cd6d0a2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0711D6747083219FD7448F35A61063BB7E0FB9A314F54997DD59593341D2B898128F49
                                                                                                                                                                                                                      Function 00421380 Relevance: 1.7, Strings: 1, Instructions: 488COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: !
                                                                                                                                                                                                                      • API String ID: 0-113910852
                                                                                                                                                                                                                      • Opcode ID: bb484417d5c24dcc73e98fc77baf26d99336fd5d77112d4898e0e3c2de9af6f1
                                                                                                                                                                                                                      • Instruction ID: 2d693bce10ed5bc3cb733e123271110e610af88e73c885137d41ad325da0423d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bb484417d5c24dcc73e98fc77baf26d99336fd5d77112d4898e0e3c2de9af6f1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 00C14972A083208BD724DF24D85176BB3E2EFE0354F49452EE8C5973A1EB799D01839A
                                                                                                                                                                                                                      Function 00429070 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: "
                                                                                                                                                                                                                      • API String ID: 0-123907689
                                                                                                                                                                                                                      • Opcode ID: 890805ae256df2394b4c992c8510d8c6f152f74533689e5e64bf7f5813ebe0a9
                                                                                                                                                                                                                      • Instruction ID: ba5bec7ee50c6a9e90924a2fc2af94bf927fb64befec74e61bb5d5638cdde794
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 890805ae256df2394b4c992c8510d8c6f152f74533689e5e64bf7f5813ebe0a9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 39C14872B08321ABD714CE25E49076BB7D5AF84314F58892FE89587382DB3CEC45C79A
                                                                                                                                                                                                                      Function 0042A749 Relevance: 1.6, Strings: 1, Instructions: 323COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: wH
                                                                                                                                                                                                                      • API String ID: 0-1503671404
                                                                                                                                                                                                                      • Opcode ID: 735eff78948b21e92c26272058e6777a53df9390db2d3b00e6e92735ac06b047
                                                                                                                                                                                                                      • Instruction ID: 6938ec21c2c950272ecf71514532c80e00f36c867636421e33f396b57224f4d7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 735eff78948b21e92c26272058e6777a53df9390db2d3b00e6e92735ac06b047
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F6A1067190C3E18BD335CF2994603ABBBE1AFD6304F58896ED4C997382D7398905CB96
                                                                                                                                                                                                                      Function 0041CA40 Relevance: 1.5, Strings: 1, Instructions: 285COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: ~
                                                                                                                                                                                                                      • API String ID: 0-1707062198
                                                                                                                                                                                                                      • Opcode ID: b2bf56c6dda8e436477415f48bc884f7f9252947a21440a050ed132b55a9fa0b
                                                                                                                                                                                                                      • Instruction ID: 20d55060c47421e563f3ea782d842ae176eb6628bfb33178114c4445c7dce7b7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b2bf56c6dda8e436477415f48bc884f7f9252947a21440a050ed132b55a9fa0b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E7A13A729486214FC711CF28CC817ABBBE1AB95324F19863DE8A997391D738DC46C7C6
                                                                                                                                                                                                                      Function 00418BE7 Relevance: 1.5, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: WXY
                                                                                                                                                                                                                      • API String ID: 0-578357071
                                                                                                                                                                                                                      • Opcode ID: 9ac52ab9ea5249d440cfc6a24ea8c2da27a5e41fcfcff4567cf9a22dc44a9644
                                                                                                                                                                                                                      • Instruction ID: 8d25020bddb94e3cdd4bd6562285650216077dcd5e3e3cdbb1f9058a9d2ed0fd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9ac52ab9ea5249d440cfc6a24ea8c2da27a5e41fcfcff4567cf9a22dc44a9644
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 038104715083218BC724DF28C8906ABB7F2FFD5764F18895EE8C59B764EB349841CB46
                                                                                                                                                                                                                      Function 00438620 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: DCBA
                                                                                                                                                                                                                      • API String ID: 0-2222620526
                                                                                                                                                                                                                      • Opcode ID: e97ef76f18b33331658c6dadffdbf4a03ec667c33888f79711ecf2f3b557a6d1
                                                                                                                                                                                                                      • Instruction ID: 872a48a09982231b8dafbd347f7c63a6ccfc1133244f06d7031620cbbfbec7ca
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e97ef76f18b33331658c6dadffdbf4a03ec667c33888f79711ecf2f3b557a6d1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 73512632A047108BC7209E2C8C8165BF7E2FB8A324F19A67EE89497395DB789C45C7D5
                                                                                                                                                                                                                      Function 00429ECA Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: ytyu
                                                                                                                                                                                                                      • API String ID: 0-3122247562
                                                                                                                                                                                                                      • Opcode ID: f053fbe5bc21165d167fab0e9e4a8a53879f261e0ed1905fc728f89db18bf12f
                                                                                                                                                                                                                      • Instruction ID: 12b0de02a6f5ab75272d138379b8755f22481c091a64ef22d8aed6e45f9efa9c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f053fbe5bc21165d167fab0e9e4a8a53879f261e0ed1905fc728f89db18bf12f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AA512B616083D14BD7298F3994A07BBBBD2DFD7304F5885BDC0D69B286CB3841068759
                                                                                                                                                                                                                      Function 0042B0DE Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: ytyu
                                                                                                                                                                                                                      • API String ID: 0-3122247562
                                                                                                                                                                                                                      • Opcode ID: 3494bfe6291a6431b01350dcad90491f8a54cb059fc7b75e339d49c7782d6889
                                                                                                                                                                                                                      • Instruction ID: 648daf82285625cf77c371538089869eb7515d56c2969b46c42d7a52f9289bc7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3494bfe6291a6431b01350dcad90491f8a54cb059fc7b75e339d49c7782d6889
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 27412D6060C3D24BD73A8F2994A47B7BFE1DFA3344F5885AEC0D65B242CB384506C75A
                                                                                                                                                                                                                      Function 00429E89 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: ytyu
                                                                                                                                                                                                                      • API String ID: 0-3122247562
                                                                                                                                                                                                                      • Opcode ID: cbca36ce238727ca39cac4ff67d5d0eb6a20784f1e8b4ad77352ae9aa64df1ca
                                                                                                                                                                                                                      • Instruction ID: 9f127353f7bba25dfea1de63524ab0f2f798c8a367a6f857e5b761ee54c0f219
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cbca36ce238727ca39cac4ff67d5d0eb6a20784f1e8b4ad77352ae9aa64df1ca
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5C312A6060C3D24BD73A8F2994647BBBFE1DFA3344F5889AEC0D65B282CB344506C75A
                                                                                                                                                                                                                      Function 0041AC1D Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: !y{{
                                                                                                                                                                                                                      • API String ID: 0-1777749009
                                                                                                                                                                                                                      • Opcode ID: 34a11b86288b67153c8836f152e560bb3d0582ddd333178ec40e8e1900dbe185
                                                                                                                                                                                                                      • Instruction ID: 60daa59d1a784ae211c2b3ef0204a34bfe7960cd735750a74c34f91c64a24c52
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 34a11b86288b67153c8836f152e560bb3d0582ddd333178ec40e8e1900dbe185
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 912199729493508BC7148E29D8503E7FBE1EFD2314F1C84AFE8C5EB301E23988168796
                                                                                                                                                                                                                      Function 00422154 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID: DCBA
                                                                                                                                                                                                                      • API String ID: 2994545307-2222620526
                                                                                                                                                                                                                      • Opcode ID: a3285eac4c9d0b2840b591ec952b068857be1a3abe61b60f757daffff14c0e29
                                                                                                                                                                                                                      • Instruction ID: 58c59863d1f9f3c4caf99bc5159be815190c9076244c5d1684e7e5d48b42dc26
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a3285eac4c9d0b2840b591ec952b068857be1a3abe61b60f757daffff14c0e29
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DF210474708212BFE6288B14DD41F3773A1F796324FA0862DE652A62D0D6F49C128B59
                                                                                                                                                                                                                      Function 00426B8E Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: DCBA
                                                                                                                                                                                                                      • API String ID: 0-2222620526
                                                                                                                                                                                                                      • Opcode ID: 4c7d43c54ce5063488470e0d67501b2030e8c17e96c1585fe75e4ae10792527b
                                                                                                                                                                                                                      • Instruction ID: 54541ef06add59dfd3263f9efd68384cd03068db4430ffcf6da8f422e4931867
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4c7d43c54ce5063488470e0d67501b2030e8c17e96c1585fe75e4ae10792527b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8D01D2303083909BD7249F05D89193FF7A2FBDA718FA5963DD58513622C779AC02878E
                                                                                                                                                                                                                      Function 00421F0E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID: DCBA
                                                                                                                                                                                                                      • API String ID: 2994545307-2222620526
                                                                                                                                                                                                                      • Opcode ID: 60381cf5c24a8d4759631cef9cffb6af330fb3cce93a0978c928fc436f60f342
                                                                                                                                                                                                                      • Instruction ID: 6d182deb88c2c4eb255f3f6f371a54bc81061c6ec6ac901c292e8a6fabbb1aac
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 60381cf5c24a8d4759631cef9cffb6af330fb3cce93a0978c928fc436f60f342
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F301D83034C2105FDB548B10D98187B7369EB5A75CF61661DF06623576C3749C078B5D
                                                                                                                                                                                                                      Function 0041B2AA Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $(Ca
                                                                                                                                                                                                                      • API String ID: 0-3651910949
                                                                                                                                                                                                                      • Opcode ID: f3dc78d55f9b7432d2cfe76f020a771e01dd59afd2f47eff987ab0c26e84f887
                                                                                                                                                                                                                      • Instruction ID: a54c174fe026b402a79ebbd94ae73bc0dd6676e717bfd306ef8db5c792464231
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f3dc78d55f9b7432d2cfe76f020a771e01dd59afd2f47eff987ab0c26e84f887
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7C1131301083819BCB199B25C811BBABBE09F97304F18486DF0D2D32E3DB398446C79A
                                                                                                                                                                                                                      Function 00424330 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: DCBA
                                                                                                                                                                                                                      • API String ID: 0-2222620526
                                                                                                                                                                                                                      • Opcode ID: e73a60594a34896f126e9e1d7372bd15978939b8c7b289373e8439afa795e774
                                                                                                                                                                                                                      • Instruction ID: aedfb67314d9ebe2d71852c7ac7ec84794d1d19aed1dc7c2685d9c11a788c456
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e73a60594a34896f126e9e1d7372bd15978939b8c7b289373e8439afa795e774
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7201A1357182109BD7488F64B44043BB3B2EFD6725F95696CE88263211C336ED42CB8D
                                                                                                                                                                                                                      Function 00427D4D Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: DCBA
                                                                                                                                                                                                                      • API String ID: 0-2222620526
                                                                                                                                                                                                                      • Opcode ID: 6c572baec16290f9058c09b241c1d7d46c3f91507620d49c45c0cfc9c7b8572b
                                                                                                                                                                                                                      • Instruction ID: f6be957a4c6912d3bf47c9c5fa08e1818c84933d3de460471f0cc8570821c659
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6c572baec16290f9058c09b241c1d7d46c3f91507620d49c45c0cfc9c7b8572b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E1018C3870C2009BD7048F10E89143BB7B2EF92718FA5A57DE88627212C774DC028BAE
                                                                                                                                                                                                                      Function 0040CCC5 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: nt
                                                                                                                                                                                                                      • API String ID: 0-3989823987
                                                                                                                                                                                                                      • Opcode ID: 8f23375f3ded1cedf8c2b6c586e19495486d9110ee2f26202b7f1334f42557fb
                                                                                                                                                                                                                      • Instruction ID: 9a8167d43ed3aa6e80a9fffa86108335d32d45ce1e36d09d358efee2e21b3ab1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8f23375f3ded1cedf8c2b6c586e19495486d9110ee2f26202b7f1334f42557fb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA114876E163911BE314DB359C916EBB6E29B8A304F28853DD985D3382EA389811874A
                                                                                                                                                                                                                      Function 00421F10 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: DCBA
                                                                                                                                                                                                                      • API String ID: 0-2222620526
                                                                                                                                                                                                                      • Opcode ID: c171ce8634b65f3b72ab00d7978cc057f42bfaa1f1ed53675fa34d6148c0a6de
                                                                                                                                                                                                                      • Instruction ID: 517883da41b6e9bbcf1a327f50b4d8fcb30acbe5f397202542f823fa7dde89d0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c171ce8634b65f3b72ab00d7978cc057f42bfaa1f1ed53675fa34d6148c0a6de
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7BF0A73074C3104FD7548B20A19013BB3A1EB6F758F616A6DD0A667666C335C8078F9D
                                                                                                                                                                                                                      Function 00402F40 Relevance: .7, Instructions: 664COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3e462e2d2b4d664232bddda86f707e6d7dfd7b7d18630e8fe4ab93a725646434
                                                                                                                                                                                                                      • Instruction ID: 1fdbdd34fcc77c32b79dab7dd7279ebfb464f3e9845fc9dd6af1f60592f44fed
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3e462e2d2b4d664232bddda86f707e6d7dfd7b7d18630e8fe4ab93a725646434
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4D52F5715083458FCB15CF28C0906AABFE1BF89315F18867EF89967381D778E949CB89
                                                                                                                                                                                                                      Function 004074A0 Relevance: .6, Instructions: 611COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: d7431acdf2bb0df9f5d64ac42b9b2a79ca823d03e3cbbd7ec7a0b21da91d18a0
                                                                                                                                                                                                                      • Instruction ID: 16be905699757f58d08162ad6942cc9dbbe75419bc267803a287b0f1a35843ed
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d7431acdf2bb0df9f5d64ac42b9b2a79ca823d03e3cbbd7ec7a0b21da91d18a0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BC12B472A087118BC725DF18D8806ABB3E1BFC4315F19893ED9C6A7385D738B8558B87
                                                                                                                                                                                                                      Function 00405940 Relevance: .4, Instructions: 448COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
                                                                                                                                                                                                                      • Instruction ID: 02d2229be3a83fbc5474e3e6ea086dcca113fe43498424369727b2d08b453b9d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 30F1BE756087418FD724CF29C88076BBBE2EFD9304F08882DE5D997391E639E944CB96
                                                                                                                                                                                                                      Function 0043C410 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: f123acb0fe50c215e804a0976e2544007b0a44a1c9b3f715882900abfb517b77
                                                                                                                                                                                                                      • Instruction ID: 0cd67a1d4c463cf7bb1a6f2e51dfe691ed7b3697112ccb1748d151158b469d2c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f123acb0fe50c215e804a0976e2544007b0a44a1c9b3f715882900abfb517b77
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A56136356083119BCB149F28C891A7FB3E2FFD9350F15A92DE48597361EB34E851C789
                                                                                                                                                                                                                      Function 00408FE0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ee99c97f6f89cf30c3feef9581b9004457b133a689d45e6388639d76d7a6940e
                                                                                                                                                                                                                      • Instruction ID: 14eed3b193b92f7bd7c91c1a12cb5a7423ebfd5753331b59b2878284fe61ec2b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ee99c97f6f89cf30c3feef9581b9004457b133a689d45e6388639d76d7a6940e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F971053124C3C28AD3119F7984903ABFFE0AFA2304F08597DE4D49B386D7798919D766
                                                                                                                                                                                                                      Function 0042760C Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a2354b7e78736bff6752e317a600d56ae2db8798d09994f5bf9b8b57d6477927
                                                                                                                                                                                                                      • Instruction ID: 14fdeba948a93b3c53f68ce45ab72a6c3727f090b9ad8d9c7f5e46addf120586
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a2354b7e78736bff6752e317a600d56ae2db8798d09994f5bf9b8b57d6477927
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D551BC7420C3118BC714DF24D86266BB7F1EF82724F44991DE4D59B3A1E338D905DB5A
                                                                                                                                                                                                                      Function 00439140 Relevance: .2, Instructions: 209COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1c4fdf97a2f1a179d9e674d41816b876a5a1ec115cd740e6f1111616f76577ff
                                                                                                                                                                                                                      • Instruction ID: 790f180e8d4a6f5c1ef5855a9cf66029b52f87d90570feadd83e32b30a7b9a35
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1c4fdf97a2f1a179d9e674d41816b876a5a1ec115cd740e6f1111616f76577ff
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8471C77160C3428FD715CF28C49062EBBE2AFC9314F188AAEE8D58B392D675DC41CB56
                                                                                                                                                                                                                      Function 004282E8 Relevance: .2, Instructions: 190COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 74f69f23d04b8d3363161613e04029a9dd53a912bd554f0e8a5a3837446c2789
                                                                                                                                                                                                                      • Instruction ID: 926b0f658338236115fec19bad7f90239f3caae2bc3b57b709916a7c7eb54a4e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 74f69f23d04b8d3363161613e04029a9dd53a912bd554f0e8a5a3837446c2789
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4961E0B1A413669FDB44CF68DC82A9ABF30FB06310B1542A9E450AF352C734C442CFD5
                                                                                                                                                                                                                      Function 00414D45 Relevance: .2, Instructions: 185COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: f6a177ef1093b82863d6bdf4325194f686afbf03b595ab962e2a594d60901889
                                                                                                                                                                                                                      • Instruction ID: ffa4024d1fecf6a95fbfc38947bfe75a971755c75a06410646f70d773baaa8df
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f6a177ef1093b82863d6bdf4325194f686afbf03b595ab962e2a594d60901889
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F41E1B560C3048FC714EF65E84157BB7E2FBD9304F14957EE19683661DB3898428B8A
                                                                                                                                                                                                                      Function 004029D0 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 23b86555ce2a695d0511db9aff25f2c561b64c1b68d1782900c463b72642fbea
                                                                                                                                                                                                                      • Instruction ID: 9a6b9e8a26fb0f3bc84429a8fb07d45c664269e9ebb10f82827b0a9ce94155c9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 23b86555ce2a695d0511db9aff25f2c561b64c1b68d1782900c463b72642fbea
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1410B32B0827147CB188E2D8D9417ABAD75FC5205F0EC63AFCC5AB7D6D578990097D4
                                                                                                                                                                                                                      Function 0042B771 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 903ef91e967a0d62a4c8ea8cf3112483b0a371131d01f03f766f21ce1a984c77
                                                                                                                                                                                                                      • Instruction ID: 5c657de7f26490f95fdc6555e03d0d8e02ef097c67437bfc1f9f76acc00ffa76
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 903ef91e967a0d62a4c8ea8cf3112483b0a371131d01f03f766f21ce1a984c77
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9441AF7094C3D28BC7368F2498207BBBFE4DFA6304F0409ADC5D997242D73945468B9A
                                                                                                                                                                                                                      Function 004153FC Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f5603cbb745550a2514ff01182270a9a8e80b3420d347e984a97f53bf9fbb18c
                                                                                                                                                                                                                      • Instruction ID: 4d9938d5427aa00a19422e960cfa433b480ec0df9e382fbeb79cb8a426852a4d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f5603cbb745550a2514ff01182270a9a8e80b3420d347e984a97f53bf9fbb18c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9131F271A09750CBD7208F14C8952EBB7A6FFC2314F088A1ED0D99B3A4E7388441CB56
                                                                                                                                                                                                                      Function 00414D40 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 63772adff518944676ac6470e3648175ca610b2eefb1d204d6592b914da60d35
                                                                                                                                                                                                                      • Instruction ID: 2c40c0230266d8b2cfbe3e46dea91ec0ef3861f69abc0ad3f180c9264077abf0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 63772adff518944676ac6470e3648175ca610b2eefb1d204d6592b914da60d35
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4731D4B56083088FD314EF64E84167B77E2FBDA305F18947DE18593321E778D842968A
                                                                                                                                                                                                                      Function 004256A0 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9433e60035ba4c9306ed9e0aa2f5c2921af3a1801f73c3913cadd04d8984d3d7
                                                                                                                                                                                                                      • Instruction ID: 0cb7e63ae8744aacaefeca5f920cf5fe8da4bed82846817093fb181a9d0cc02d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9433e60035ba4c9306ed9e0aa2f5c2921af3a1801f73c3913cadd04d8984d3d7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8B412AB2A0C3908BC728CF25881279FBAE2FBC2304F499E6DD4D59B351D73885068B47
                                                                                                                                                                                                                      Function 0043B720 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0f6ad7d9c34e7ea356eb3540795efbc1ab240de763d2a8bf3d96e86f7d4d8a92
                                                                                                                                                                                                                      • Instruction ID: 81e569abe051f961958ec96375d0cfb2aa78fc3b7caf3bd46b5982c106ba7b36
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0f6ad7d9c34e7ea356eb3540795efbc1ab240de763d2a8bf3d96e86f7d4d8a92
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F62129246086450BC318DE3844A1237B6D6DF9E310F19592ED696DB691EB2CD90187C9
                                                                                                                                                                                                                      Function 00436770 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2ae1ecbdd5ccb704cb593e8af954e716b6d7fc6c9e0ea1c3bdec56e73eb41192
                                                                                                                                                                                                                      • Instruction ID: fca41f22eda54ae0133c663ea8b877ba853581e50aeda0c197d52a580c5e259f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2ae1ecbdd5ccb704cb593e8af954e716b6d7fc6c9e0ea1c3bdec56e73eb41192
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 00218F3860831B8BCB24DF68C49067EB3F2FF88B84F56D46ED88057224EB389D659715
                                                                                                                                                                                                                      Function 00408A50 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 8aec68d1cb419c89565ea5824c88c8953c25aeeb2aa4d373872804785ba67db2
                                                                                                                                                                                                                      • Instruction ID: 30c4168b9de1aa88309de4f0fa0d616f59544a5b9bd3e046015339af948f82e3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8aec68d1cb419c89565ea5824c88c8953c25aeeb2aa4d373872804785ba67db2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3B21A1379A2B284BD3108EA4DCC57913295E795328F3D86B98934AB3D2D97F9D0346D0
                                                                                                                                                                                                                      Function 0043A35B Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6fa11c3f533b8eba760b25f0fb583a2543553b87029177c7212ae4619e256edf
                                                                                                                                                                                                                      • Instruction ID: 319dea69129caf743b3be47d61f7b803c4b4f15ce93bdd553d01b9543d361ed5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6fa11c3f533b8eba760b25f0fb583a2543553b87029177c7212ae4619e256edf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F4112934691A008FD769CB34DCA0AA737D3E79B310708D43CC082DB319D639D8139654
                                                                                                                                                                                                                      Function 0040C37A Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3a0276c381715b2945f99c7dc68deaacbe48c6f20340770ea694c49548a2fdaf
                                                                                                                                                                                                                      • Instruction ID: 5f0d0020cb13dd4835fa5de00ff150a82e71919640a4629c9d6ebba50eb82aa9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3a0276c381715b2945f99c7dc68deaacbe48c6f20340770ea694c49548a2fdaf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9221383239C3455FE3289F68ACC179B7693EBC7200F28953CD58597395DAB49401864A
                                                                                                                                                                                                                      Function 00414C4E Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 05138cbabdc80a3af10c228aea33de1959a9dce9bf2d62049151e53430b4be4c
                                                                                                                                                                                                                      • Instruction ID: 2c22502caa2999549552e45288962016bce12bbc1d9e56d541357ed696b52ddd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 05138cbabdc80a3af10c228aea33de1959a9dce9bf2d62049151e53430b4be4c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 671101B560C3049BC304EF24E84196BB7E2FBDA305F14983DE68587321E734EC829A4A
                                                                                                                                                                                                                      Function 00432770 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                      • Instruction ID: e33911fe9070215d35ca5e51225649dc2275d76c858c1e42cbf454372d559ea6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6C114C33A081E00EC3168D3C8500566BFA32A97634F1D539AF4B49B3D3D7278D8B9369
                                                                                                                                                                                                                      Function 00428AF0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: fe1456515a9edc830b27937bd2ea67c7b0c014683399f621d5d944aff22c083c
                                                                                                                                                                                                                      • Instruction ID: c50ce8cf9c5f9d345d43c63e05a9bff61589088a4a1618f9609e7476a1dc71ea
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fe1456515a9edc830b27937bd2ea67c7b0c014683399f621d5d944aff22c083c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EF019EF1B0231247D7209E11A4C1B2BB6A86F94748F58443EE80967342DFBEFC05C29A
                                                                                                                                                                                                                      Function 0040C2DA Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 967e6cb9ea21bc44fcd4b8d920d1a98461da43aa88d1223373553775f3b866f5
                                                                                                                                                                                                                      • Instruction ID: 48cd2bf5a38dda26d43492ad7cd4619b8b65fe667581452ef5a3b5f5612d356d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 967e6cb9ea21bc44fcd4b8d920d1a98461da43aa88d1223373553775f3b866f5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0B01D27AB582048BE3448F75ACC13BBB792E7C2211F15E03DE48693295DD74E9469609
                                                                                                                                                                                                                      Function 00439DD7 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 76fd8bc342387add2a092c5241631615185f55dff440682e140d6b8b38744bd4
                                                                                                                                                                                                                      • Instruction ID: ee3202f4c7b97d86cec6d154009762f68b7b73f0fade54c8394ff9d3109274f1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 76fd8bc342387add2a092c5241631615185f55dff440682e140d6b8b38744bd4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5F01A93BE91B209BC3244FB8DDC226BEBE1EB59315F1D567EC981AB741C15C9C014794
                                                                                                                                                                                                                      Function 0040B215 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 503ff2e71cab218a3968d2c3fb4ca380df2623b62e847c146365de6c103bc151
                                                                                                                                                                                                                      • Instruction ID: f57f4cf8da5334abe639b22c9070b7f824a33ddb09cdb4d81ecdbf7b59264ff9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 503ff2e71cab218a3968d2c3fb4ca380df2623b62e847c146365de6c103bc151
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 81D05B76C01601AFC7216F79EC027047DF1FF97345F0920B6901492135FF714150965B
                                                                                                                                                                                                                      Function 00420273 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 26bc815a613c1751be835ce015be72e18a4da537f3dbe6440cfc7d58633fbcab
                                                                                                                                                                                                                      • Instruction ID: 46708560f6ca2d1dc46b348cf292d49f35cc9a01d59c3a157677fa6b0df29c1c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 26bc815a613c1751be835ce015be72e18a4da537f3dbe6440cfc7d58633fbcab
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ECB092A9C0A5118AE1222B123D028AAB0241A13348F182036E80632246AAAAF21A41AF
                                                                                                                                                                                                                      Function 004245DE Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6e8ec0da43f4966af9c80c68cfa9382619b99c9117e0d001fc58a2c7e1a0e3d2
                                                                                                                                                                                                                      • Instruction ID: 22b160710237bc1a3139db92fe2d56dc42599ca93603099b58035b78777ca6b4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6e8ec0da43f4966af9c80c68cfa9382619b99c9117e0d001fc58a2c7e1a0e3d2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 07B011A8E0820082C000AF00A8028BAB2388A0B20AF203030E808B3202EA28F200828F
                                                                                                                                                                                                                      Function 00422F44 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708620557.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_400000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3b137f54b60282bb78b724cbeb6a83ac7cf5062442489467fd4f716218ed2886
                                                                                                                                                                                                                      • Instruction ID: f3676da94ab42f47244ed0b0df57d6e577ccfcf37e1cffb6cabbbc84becdf206
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3b137f54b60282bb78b724cbeb6a83ac7cf5062442489467fd4f716218ed2886
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 55A00228E5C000869A08CF20A9516B1E2B95B6FA02F6134288005B7452D910D900851D
                                                                                                                                                                                                                      Function 002AEDF2 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetCPInfo.KERNEL32(00000000,00000000,00000000,7FFFFFFF,?,002AEDDD,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 002AEE98
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 002AEF53
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 002AEFE2
                                                                                                                                                                                                                      • __freea.LIBCMT ref: 002AF02D
                                                                                                                                                                                                                      • __freea.LIBCMT ref: 002AF033
                                                                                                                                                                                                                      • __freea.LIBCMT ref: 002AF069
                                                                                                                                                                                                                      • __freea.LIBCMT ref: 002AF06F
                                                                                                                                                                                                                      • __freea.LIBCMT ref: 002AF07F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 127012223-0
                                                                                                                                                                                                                      • Opcode ID: d12b962477d1db88197332ba1646f270fb3af372e6d71d85930a670431cc81f7
                                                                                                                                                                                                                      • Instruction ID: 78f3e93fad5ee1fe6b92088056385833add4c1998b1926aedaf65e59e0df2809
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d12b962477d1db88197332ba1646f270fb3af372e6d71d85930a670431cc81f7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA71DB729202069FDF219FD48D81FAE77B9DF47310F160165F904A7242DF759C628BA1
                                                                                                                                                                                                                      Function 002945A9 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 002945F0
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 0029461C
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 0029465B
                                                                                                                                                                                                                      • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00294678
                                                                                                                                                                                                                      • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 002946B7
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 002946D4
                                                                                                                                                                                                                      • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00294716
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00294739
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2040435927-0
                                                                                                                                                                                                                      • Opcode ID: aff692b8a523798f8c189647d0adae3777a6cbffb4ed2fe9764b3a046efb39c6
                                                                                                                                                                                                                      • Instruction ID: db8a020b6990b7291b99da692a7a1af2ed17af6c1029678064ebde82085804cd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: aff692b8a523798f8c189647d0adae3777a6cbffb4ed2fe9764b3a046efb39c6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DD51B4B292020ABFEF206FA0DC49FAA7BADEF45744F144524F9159A190D774DD22CB60
                                                                                                                                                                                                                      Function 002A3332 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _strrchr
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3213747228-0
                                                                                                                                                                                                                      • Opcode ID: 28ab9ecce4e15e3143315e353018c5f3af88507dfb5dc82ed59a1ff67c68ab01
                                                                                                                                                                                                                      • Instruction ID: 644956d36d059773a6707a37538a7029536e8b28c4c737f1a398f42a96f268a8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 28ab9ecce4e15e3143315e353018c5f3af88507dfb5dc82ed59a1ff67c68ab01
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 04B14872E24356AFDB11CF68CC81BAE7BA5EF5A710F144155F504AB282DB70DA21CBA0
                                                                                                                                                                                                                      Function 0029FB24 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 301COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • type_info::operator==.LIBVCRUNTIME ref: 0029FC43
                                                                                                                                                                                                                      • CallUnexpected.LIBVCRUNTIME ref: 0029FEBC
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CallUnexpectedtype_info::operator==
                                                                                                                                                                                                                      • String ID: `#+$csm$csm$csm
                                                                                                                                                                                                                      • API String ID: 2673424686-2600235502
                                                                                                                                                                                                                      • Opcode ID: 1fe873ae0ee5840010613aeb2a68085d8f400dd4d63259b44ae08fec437cfda4
                                                                                                                                                                                                                      • Instruction ID: bcc9da31f7e314fe806a71a348a254ec5d515537cf0031178b3ec3fa54ae64e3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1fe873ae0ee5840010613aeb2a68085d8f400dd4d63259b44ae08fec437cfda4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D2B16A7182020AEFCF95DFA4CA819AEB7B5BF04314F14416AEC15AB216D731DA71CFA1
                                                                                                                                                                                                                      Function 00295440 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00295477
                                                                                                                                                                                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 0029547F
                                                                                                                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00295508
                                                                                                                                                                                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00295533
                                                                                                                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00295588
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                      • String ID: csm
                                                                                                                                                                                                                      • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                      • Opcode ID: a448192a347f2b88bf67dd7a90e0f8ad81e0e2c6b90db695391915c35b25fc24
                                                                                                                                                                                                                      • Instruction ID: 71b561cdadb6a06d88e9dd96ff6dbaa183f141f6e9309f7a19861e21d26f22a3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a448192a347f2b88bf67dd7a90e0f8ad81e0e2c6b90db695391915c35b25fc24
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A141E330B20629DBCF11DF68C884A9E7FB5AF05314F558155E8185B352DB31EE65CF90
                                                                                                                                                                                                                      Function 0029388E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 002938A2
                                                                                                                                                                                                                      • AcquireSRWLockExclusive.KERNEL32(?,?,?,0029386B,?,00000000,?,0028B20C,?,?,0028D57E), ref: 002938C1
                                                                                                                                                                                                                      • AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,0029386B,?,00000000,?,0028B20C,?,?,0028D57E), ref: 002938EF
                                                                                                                                                                                                                      • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,0029386B,?,00000000,?,0028B20C,?,?,0028D57E), ref: 0029394A
                                                                                                                                                                                                                      • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,0029386B,?,00000000,?,0028B20C,?,?,0028D57E), ref: 00293961
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AcquireExclusiveLock$CurrentThread
                                                                                                                                                                                                                      • String ID: k8)
                                                                                                                                                                                                                      • API String ID: 66001078-4008630596
                                                                                                                                                                                                                      • Opcode ID: c27314219a232a70853823fab2d7abded8dd27385d0415bf0b2965faa7ea588b
                                                                                                                                                                                                                      • Instruction ID: b37247fa117991ed11d019b35f360cbf071b7887acf6ba81c9e997c065810971
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c27314219a232a70853823fab2d7abded8dd27385d0415bf0b2965faa7ea588b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A2415B31920A07DFEF20DF65C484B6AB3F5FF09310B504A29E446D7640E7B0EAA5CB51
                                                                                                                                                                                                                      Function 002A13F9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,BB40E64E,?,002A1508,002831F2,?,00000000,?), ref: 002A14BA
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                      • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                      • API String ID: 3664257935-537541572
                                                                                                                                                                                                                      • Opcode ID: 8f14552486478e7894aec496dadcb62492e2617f8ee7573a2c29f3e1a3a47b4e
                                                                                                                                                                                                                      • Instruction ID: 76cf7d756224fd9f56e8b400bb55f30166a62a0bbcc3e329ef32e9952a7a45a1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8f14552486478e7894aec496dadcb62492e2617f8ee7573a2c29f3e1a3a47b4e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 79210035E11212A7CB319F69FC44AAA37589B47770F260210F915A72D1DF70ED30C6D0
                                                                                                                                                                                                                      Function 002947BB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 002947C1
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 002947CF
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 002947E0
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                      • String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                                                                                                                                                                                      • API String ID: 667068680-1047828073
                                                                                                                                                                                                                      • Opcode ID: e32a0e604ff0a9776899bed9c8c2018759c5dec839faec8836209d1e0adc533a
                                                                                                                                                                                                                      • Instruction ID: 14d392e249a653ae1a6b2fd766b0f5bb4f760633a72a21bec71bbe6cb8e68aca
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e32a0e604ff0a9776899bed9c8c2018759c5dec839faec8836209d1e0adc533a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 27D0A7719262105F87205F70BC0DDC53FB4EA063413814252F801D21A0FB741500CB5A
                                                                                                                                                                                                                      Function 002A8F96 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: d67a034156a2d17b315a9bfaa19d40029fa7612ffcfdbb9c21420eebba31d0d5
                                                                                                                                                                                                                      • Instruction ID: 7e5160801c238ae9e8c2b46de2d54077cb0ec33b0e4deb6d671aaea3c42cf0e8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d67a034156a2d17b315a9bfaa19d40029fa7612ffcfdbb9c21420eebba31d0d5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 79B10670A2424AAFDF15DF9DD885BBD7BB5BF4B300F144298E8049B291CB7099A1CF60
                                                                                                                                                                                                                      Function 0029F2AC Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,0029F2A3,00294E61,002941CC), ref: 0029F2BA
                                                                                                                                                                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0029F2C8
                                                                                                                                                                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0029F2E1
                                                                                                                                                                                                                      • SetLastError.KERNEL32(00000000,0029F2A3,00294E61,002941CC), ref: 0029F333
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3852720340-0
                                                                                                                                                                                                                      • Opcode ID: 69391624d109973a5fefccc058228be18565377cd9c190b10308d3b2abb752a5
                                                                                                                                                                                                                      • Instruction ID: 037736c3ef1e82d28e6bfe0495b7b110fa4991a9c861d701e44ce64a844ba7c0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 69391624d109973a5fefccc058228be18565377cd9c190b10308d3b2abb752a5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5101B1326393525EEEA52BB8BD899AB2A84DF52379720033DF810850F1FF914C229654
                                                                                                                                                                                                                      Function 0029328F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • __EH_prolog3.LIBCMT ref: 00293296
                                                                                                                                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 002932A0
                                                                                                                                                                                                                        • Part of subcall function 00284360: std::_Lockit::_Lockit.LIBCPMT ref: 0028438E
                                                                                                                                                                                                                        • Part of subcall function 00284360: std::_Lockit::~_Lockit.LIBCPMT ref: 002843B9
                                                                                                                                                                                                                      • codecvt.LIBCPMT ref: 002932DA
                                                                                                                                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00293311
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
                                                                                                                                                                                                                      • String ID: X+
                                                                                                                                                                                                                      • API String ID: 3716348337-1938338529
                                                                                                                                                                                                                      • Opcode ID: 3e8dc7d38d6bf3231ad7e7441791eca9a1066a005a3d0cc71372a4f9d9332681
                                                                                                                                                                                                                      • Instruction ID: 158c88bf46e3ac6e88c57d2225fdbd2c5905e0a7f2bf2a8d51c0b335d514c135
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3e8dc7d38d6bf3231ad7e7441791eca9a1066a005a3d0cc71372a4f9d9332681
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9401C035E2021A9BCF01FBA0D845AEE77B5AF90710F660149F812AB2D1DF709E21CF81
                                                                                                                                                                                                                      Function 0029A53C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,002B0244,000000FF,?,0029A5FD,0029A4E4,?,0029A699,00000000), ref: 0029A571
                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0029A583
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,002B0244,000000FF,?,0029A5FD,0029A4E4,?,0029A699,00000000), ref: 0029A5A5
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                      • Opcode ID: 4656ab08f952377f3d57f92254a67a1e25cc1018f4e1ac2f63fe8eaa6dafa293
                                                                                                                                                                                                                      • Instruction ID: f3d2fcc24194a9b93b27b177324847980c1d087f4857a4a0820e74aa6b00cc57
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4656ab08f952377f3d57f92254a67a1e25cc1018f4e1ac2f63fe8eaa6dafa293
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 43018F71A10615AFCB128F54DC09FEEBBB8FB48B11F440625E815A22A0DB749A00CB91
                                                                                                                                                                                                                      Function 002A1BCD Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 002A1C52
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 002A1D1B
                                                                                                                                                                                                                      • __freea.LIBCMT ref: 002A1D82
                                                                                                                                                                                                                        • Part of subcall function 002A04C1: HeapAlloc.KERNEL32(00000000,?,?,?,0029119F,?,?,002831F2,00001000,?,0028313A), ref: 002A04F3
                                                                                                                                                                                                                      • __freea.LIBCMT ref: 002A1D95
                                                                                                                                                                                                                      • __freea.LIBCMT ref: 002A1DA2
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1096550386-0
                                                                                                                                                                                                                      • Opcode ID: e6d53ea0f0e158bbdfa6a3c051b3fe1ff4db7876ca4f1160c0a55f7cf9a71e3f
                                                                                                                                                                                                                      • Instruction ID: eb7135c25da19a8abc6ee50ade0428da480ca7d33ab71660ad04a39f2e1b7378
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e6d53ea0f0e158bbdfa6a3c051b3fe1ff4db7876ca4f1160c0a55f7cf9a71e3f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CF5184726206066FEF109E60CC81EBB7BAEEF46720F190529FD04D6155EF70DD708A60
                                                                                                                                                                                                                      Function 00281870 Relevance: 7.7, APIs: 5, Instructions: 162COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseFileHandleSize
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3849164406-0
                                                                                                                                                                                                                      • Opcode ID: 7a5571745a85aa2c0799291717461dc9f553c9e2a365986e3eaaa71fe82f594d
                                                                                                                                                                                                                      • Instruction ID: d4e22e729d9d7805c062711c2ae3642ceb817fe6c4fb012b99a5b69a4d7a18a0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7a5571745a85aa2c0799291717461dc9f553c9e2a365986e3eaaa71fe82f594d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9871C2B4D05248CFCB10EFA8D59879DBBF4BF48304F108529E499AB381E774A966CF52
                                                                                                                                                                                                                      Function 0029184C Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • __EH_prolog3.LIBCMT ref: 00291853
                                                                                                                                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0029185E
                                                                                                                                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 002918CC
                                                                                                                                                                                                                        • Part of subcall function 00291755: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0029176D
                                                                                                                                                                                                                      • std::locale::_Setgloballocale.LIBCPMT ref: 00291879
                                                                                                                                                                                                                      • _Yarn.LIBCPMT ref: 0029188F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1088826258-0
                                                                                                                                                                                                                      • Opcode ID: b37e1aafd931488de32a61cf550a2d6c2d89c8a397a6ed251d0e24bf9335345b
                                                                                                                                                                                                                      • Instruction ID: 6e2188eaf501f1362f6abc966a4962f7bd791d38fc3e6860da89e8e7b4cd2e08
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b37e1aafd931488de32a61cf550a2d6c2d89c8a397a6ed251d0e24bf9335345b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C101D475A102129BDF06EF61E8459BC7771BFC4340B554148E81157391EF346E72CF81
                                                                                                                                                                                                                      Function 002AAC01 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,002AAC9D,00000000,?,002BEFA0,?,?,?,002AABD4,00000004,InitializeCriticalSectionEx,002B4F0C,002B4F14), ref: 002AAC0E
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,002AAC9D,00000000,?,002BEFA0,?,?,?,002AABD4,00000004,InitializeCriticalSectionEx,002B4F0C,002B4F14,00000000,?,002A016C), ref: 002AAC18
                                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 002AAC40
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                      • String ID: api-ms-
                                                                                                                                                                                                                      • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                      • Opcode ID: 99c67ccab864be8b81d3a09384c4dd58e92b0e796d7ee859b72e27bd2eb2a657
                                                                                                                                                                                                                      • Instruction ID: 97f1f8fe43006218ea43317a25337cc2b66dd8360708ea88c910dd14ff18cfcb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 99c67ccab864be8b81d3a09384c4dd58e92b0e796d7ee859b72e27bd2eb2a657
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4BE01270690205BBEF101F50FC0AB693B59AF11B51F144021F90CA80E1DB61D960C646
                                                                                                                                                                                                                      Function 00291256 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • AcquireSRWLockExclusive.KERNEL32(002BE448,00000004,?,0028917E,?,?,002890E8,?,00288F17), ref: 00291260
                                                                                                                                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(002BE448,?,0028917E,?,?,002890E8,?,00288F17), ref: 00291293
                                                                                                                                                                                                                      • WakeAllConditionVariable.KERNEL32(002BE444,?,0028917E,?,?,002890E8,?,00288F17), ref: 0029129E
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
                                                                                                                                                                                                                      • String ID: H+
                                                                                                                                                                                                                      • API String ID: 1466638765-325592419
                                                                                                                                                                                                                      • Opcode ID: 55b85f0e948b31a1b471536b353a55a58f17ef4c4a099a37d21ec1910ec3f4a8
                                                                                                                                                                                                                      • Instruction ID: 6493598c589a8273bb4f79b8f3ebaf30af366f2b8fadfbc38f250761f3ae53bd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 55b85f0e948b31a1b471536b353a55a58f17ef4c4a099a37d21ec1910ec3f4a8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E1F039B8601100DFCB04EF68F84D8C477B8EB0D341B0A822AF90983320EA746900CF52
                                                                                                                                                                                                                      Function 002A8366 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 002A83C9
                                                                                                                                                                                                                        • Part of subcall function 002A05D1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,002A1D78,?,00000000,-00000008), ref: 002A0632
                                                                                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 002A861B
                                                                                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 002A8661
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 002A8704
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2112829910-0
                                                                                                                                                                                                                      • Opcode ID: 0710d1df826cf3856eed1be3696c86edc7166c18f153d9eee5faac7e53db559e
                                                                                                                                                                                                                      • Instruction ID: 1d433c28572d4177bd39903eedc8c7d700f9f61e73cdaff7cc9d12d9980f12dc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0710d1df826cf3856eed1be3696c86edc7166c18f153d9eee5faac7e53db559e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CDD1AB75D102499FCF04CFA8D884AEDBBB9FF4A304F28452AE816EB351DA30A911CF50
                                                                                                                                                                                                                      Function 0029F84B Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AdjustPointer
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1740715915-0
                                                                                                                                                                                                                      • Opcode ID: 99cb4b5e0c537079764e62a160548e88ed7df9121c5d1fd7537e28737bf0525f
                                                                                                                                                                                                                      • Instruction ID: 93cf667f6e63231bd2dc1dfec341991f3e852fa13c5b9c82c05920a542c01361
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 99cb4b5e0c537079764e62a160548e88ed7df9121c5d1fd7537e28737bf0525f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5E51EC72A24202AFEFA99F10DA41BAEB3A4FF04314F14053DE805C72A1D731ECA0CB90
                                                                                                                                                                                                                      Function 002A6192 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 002A05D1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,002A1D78,?,00000000,-00000008), ref: 002A0632
                                                                                                                                                                                                                      • GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 002A61F6
                                                                                                                                                                                                                      • __dosmaperr.LIBCMT ref: 002A61FD
                                                                                                                                                                                                                      • GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 002A6237
                                                                                                                                                                                                                      • __dosmaperr.LIBCMT ref: 002A623E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1913693674-0
                                                                                                                                                                                                                      • Opcode ID: 6e7a744908e687bf62967a4a210d44e67bd52fb492fe58cc9825619a54e59174
                                                                                                                                                                                                                      • Instruction ID: b02841d0d3363437f8d2fe026af02107ae573219e89836c335c11ff5802a67bc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6e7a744908e687bf62967a4a210d44e67bd52fb492fe58cc9825619a54e59174
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A221C871620316AF9F20AF65C88592BBBADFF823647148518FD1997241DF34EC208F90
                                                                                                                                                                                                                      Function 002972A2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7fdd58df4a024b07d71dce17b4d333bb97fefa69e5ef0d05910f44b6c8abe6df
                                                                                                                                                                                                                      • Instruction ID: aecaa365c41f968399378f2528453265d042e180f2f53478b48226ecb8bfe8c6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7fdd58df4a024b07d71dce17b4d333bb97fefa69e5ef0d05910f44b6c8abe6df
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8121A171638206AF9F20AF65DC81D6A77ACFF40764B104659FC1997251E730EC209BA4
                                                                                                                                                                                                                      Function 002A7588 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 002A7590
                                                                                                                                                                                                                        • Part of subcall function 002A05D1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,002A1D78,?,00000000,-00000008), ref: 002A0632
                                                                                                                                                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002A75C8
                                                                                                                                                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002A75E8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 158306478-0
                                                                                                                                                                                                                      • Opcode ID: 08c5b310397a02ea7ae0954749819778268cbd2f70eede694ca521a6d7852ea6
                                                                                                                                                                                                                      • Instruction ID: 48a515f177a56deaa0f6aa1e9a972a8588a1ec48e1d73be1a557755694c1cc06
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 08c5b310397a02ea7ae0954749819778268cbd2f70eede694ca521a6d7852ea6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E41144F1D256167FA6212BB96CCDD6F7A6CEE5B3987500424F901D1001FE64DE204ABD
                                                                                                                                                                                                                      Function 002AF0B0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,002AE59F,00000000,00000001,?,?,?,002A8758,?,00000000,00000000), ref: 002AF0C7
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,002AE59F,00000000,00000001,?,?,?,002A8758,?,00000000,00000000,?,?,?,002A809E,?), ref: 002AF0D3
                                                                                                                                                                                                                        • Part of subcall function 002AF124: CloseHandle.KERNEL32(FFFFFFFE,002AF0E3,?,002AE59F,00000000,00000001,?,?,?,002A8758,?,00000000,00000000,?,?), ref: 002AF134
                                                                                                                                                                                                                      • ___initconout.LIBCMT ref: 002AF0E3
                                                                                                                                                                                                                        • Part of subcall function 002AF105: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,002AF0A1,002AE58C,?,?,002A8758,?,00000000,00000000,?), ref: 002AF118
                                                                                                                                                                                                                      • WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,002AE59F,00000000,00000001,?,?,?,002A8758,?,00000000,00000000,?), ref: 002AF0F8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2744216297-0
                                                                                                                                                                                                                      • Opcode ID: 5f0983dec88ca064f7d8dca70eeeb17208492d1fd10942d7a25afdd74c9acdcb
                                                                                                                                                                                                                      • Instruction ID: df418052c2557e24957f92c35a22347bcab72ffe8a17c01b1011d95ed20bc231
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5f0983dec88ca064f7d8dca70eeeb17208492d1fd10942d7a25afdd74c9acdcb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3BF0AC36510115BBCF621FD5ED089993F6AFB093A1B164520FA1D95120DA369920AF91
                                                                                                                                                                                                                      Function 00294C10 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00294C22
                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00294C31
                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00294C3A
                                                                                                                                                                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00294C47
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2933794660-0
                                                                                                                                                                                                                      • Opcode ID: ab3a9931ad1c7f1ebe03f2ef9e2a0f690fc403867e0b337d78399546b5037dbb
                                                                                                                                                                                                                      • Instruction ID: b92d610e3066a9549a3d5f865d87180bad352bd627efdef93b0c08c401782719
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ab3a9931ad1c7f1ebe03f2ef9e2a0f690fc403867e0b337d78399546b5037dbb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 24F06274D1020DEBCB00DBB4D94999EBBF8FF1C304B914A95A412E7110E734AB449F51
                                                                                                                                                                                                                      Function 00287D50 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 477COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _strcspn
                                                                                                                                                                                                                      • String ID: @
                                                                                                                                                                                                                      • API String ID: 3709121408-2766056989
                                                                                                                                                                                                                      • Opcode ID: d143074954d09e0b331dc13dc577e5d8c46c8e8f1e9ceb7f6de909f620cba847
                                                                                                                                                                                                                      • Instruction ID: a7c17f52162f2447ba42282631a92cb48b13fb1a73981e2e26228672b687d00d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d143074954d09e0b331dc13dc577e5d8c46c8e8f1e9ceb7f6de909f620cba847
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7A32E4B89152698FCB14EF24C981A9DFBF1BF48300F0585EAE849A7341D734AE95CF91
                                                                                                                                                                                                                      Function 002A4D72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 002A0713: GetLastError.KERNEL32(00000000,?,002A2A49), ref: 002A0717
                                                                                                                                                                                                                        • Part of subcall function 002A0713: SetLastError.KERNEL32(00000000,?,?,00000028,0029D2C9), ref: 002A07B9
                                                                                                                                                                                                                      • GetACP.KERNEL32 ref: 002A4E31
                                                                                                                                                                                                                      • IsValidCodePage.KERNEL32(00000000), ref: 002A4E68
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLast$CodePageValid
                                                                                                                                                                                                                      • String ID: utf8
                                                                                                                                                                                                                      • API String ID: 943130320-905460609
                                                                                                                                                                                                                      • Opcode ID: 6e0be9cf3e0980904fc8aff4722ab2993692328d386d1c6177c49345e091d6c3
                                                                                                                                                                                                                      • Instruction ID: f17cae4ba0b37a702618759e56c3deb6974e64ab58236dfb6d3730531674d6c6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6e0be9cf3e0980904fc8aff4722ab2993692328d386d1c6177c49345e091d6c3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3551B631A20602AFDB257F348C82BA673A8BFC7740F14442AF905D7581EFF0E9648A61
                                                                                                                                                                                                                      Function 0029FF48 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,0029FE49,?,?,00000000,00000000,00000000,?), ref: 0029FF6D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: EncodePointer
                                                                                                                                                                                                                      • String ID: MOC$RCC
                                                                                                                                                                                                                      • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                      • Opcode ID: b3b8d466058c4154f8175cee1ff82c511756e7114347bdb738399b3ec931c67a
                                                                                                                                                                                                                      • Instruction ID: c2999d9e3c4c455955c0593c5bcf6082ae48f636a249b34a07ff1c63245fbbec
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b3b8d466058c4154f8175cee1ff82c511756e7114347bdb738399b3ec931c67a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F1414C7291010AAFCF16DF94CD81AEEBBB5FF49300F148169F904A7261D735A9A0DF51
                                                                                                                                                                                                                      Function 0029F7B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 0029FA2B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___except_validate_context_record
                                                                                                                                                                                                                      • String ID: csm$csm
                                                                                                                                                                                                                      • API String ID: 3493665558-3733052814
                                                                                                                                                                                                                      • Opcode ID: f3c6628e729c1d0a351a79d8ff6a3b27bb67afee4ee5648c2ccb5d49cc8bfca3
                                                                                                                                                                                                                      • Instruction ID: f9a609b68c9de889e022f8d7ac91e4e17316da10902abb769026c01f059e48b4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f3c6628e729c1d0a351a79d8ff6a3b27bb67afee4ee5648c2ccb5d49cc8bfca3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7A31C6726202159BCFE29F50DE649AA7B65FF0C319B188179FC48CA221D332CDB1DB91
                                                                                                                                                                                                                      Function 00291F82 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • __alloca_probe_16.LIBCMT ref: 0029200A
                                                                                                                                                                                                                      • RaiseException.KERNEL32(?,?,?,?), ref: 0029202F
                                                                                                                                                                                                                        • Part of subcall function 00294D23: RaiseException.KERNEL32(E06D7363,00000001,00000003,00293ADE,?,?,?,?,00293ADE,00001000,002BAE2C,00001000), ref: 00294D84
                                                                                                                                                                                                                        • Part of subcall function 0029D2B9: IsProcessorFeaturePresent.KERNEL32(00000017,00297E7B,?,?,?,?,00000000), ref: 0029D2D5
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
                                                                                                                                                                                                                      • String ID: csm
                                                                                                                                                                                                                      • API String ID: 1924019822-1018135373
                                                                                                                                                                                                                      • Opcode ID: 4fa57d41a27ebcf969e1d76b22b9fea3f946f95d429c67ff0b30f5156a2865b0
                                                                                                                                                                                                                      • Instruction ID: 7b513da8d16cd0f538939970f01237b22ff9ceae4794281e6724590b6d7d4a1d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4fa57d41a27ebcf969e1d76b22b9fea3f946f95d429c67ff0b30f5156a2865b0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0D21CF31D1021DEBCF25DFA9D9859EEB3B8FF14710F14441AE949AB250E730AE69CB80
                                                                                                                                                                                                                      Function 00291670 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Yarn
                                                                                                                                                                                                                      • String ID: =n+
                                                                                                                                                                                                                      • API String ID: 1767336200-2217742520
                                                                                                                                                                                                                      • Opcode ID: a917543aa280aa1a399b608f64cf5f6c3ec492a9938613d32fc6e60a76136a67
                                                                                                                                                                                                                      • Instruction ID: 15972d6de72d7e329f585558c2c253ec5b74782653c68235224ced7f032f4c7b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a917543aa280aa1a399b608f64cf5f6c3ec492a9938613d32fc6e60a76136a67
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C3E065327182056BEF18AA67DC12FB637DCDF407A0F14012DF90A8A5C1ED50EC208A54
                                                                                                                                                                                                                      Function 00291207 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • AcquireSRWLockExclusive.KERNEL32(002BE448,00000000,00000004,?,00289155,?,?,002890E8,?,00288F17), ref: 00291212
                                                                                                                                                                                                                      • ReleaseSRWLockExclusive.KERNEL32(002BE448,?,00289155,?,?,002890E8,?,00288F17), ref: 0029124C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExclusiveLock$AcquireRelease
                                                                                                                                                                                                                      • String ID: H+
                                                                                                                                                                                                                      • API String ID: 17069307-325592419
                                                                                                                                                                                                                      • Opcode ID: 1d3b8665d2d493a857cd075864d231c35ee8c588a19eda405d16d74826b91192
                                                                                                                                                                                                                      • Instruction ID: 2187556b31bf8f0d10dcf08f1a7052f8986799f48b5dbf46a966608261234dee
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1d3b8665d2d493a857cd075864d231c35ee8c588a19eda405d16d74826b91192
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FDF08234910112CFCB24AF16F808AA9B7B8EB46331F19432EEC55832D0CB341862CA52
                                                                                                                                                                                                                      Function 002919F9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleExW.KERNEL32(00000002,00000000,(,?,?,002919BC,?,?,0029198D,?,?,?,0028E1E1), ref: 00291A05
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000002.00000002.1708500104.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708483451.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708527700.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708545261.00000000002BC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708560584.00000000002C1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708574979.00000000002C4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000002.00000002.1708606262.000000000030C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_280000_Neverlose.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                                                                      • String ID: MZx$(
                                                                                                                                                                                                                      • API String ID: 4139908857-1019860307
                                                                                                                                                                                                                      • Opcode ID: 45fc37521652e0e48d57e6e0077a5d633c73fb6df6af4e8cc580649641a131e3
                                                                                                                                                                                                                      • Instruction ID: fd53bda7c8073c1c9e90fdfa958dc2904b22b715fc5ab6d365756e8e34fa86a1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 45fc37521652e0e48d57e6e0077a5d633c73fb6df6af4e8cc580649641a131e3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E1D02B31721205F6DF108B519C0FFDE72EC8B04795F2004549101D50C0C2B0CF54D210