Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
icivfhp7cR.exe

Overview

General Information

Sample name:icivfhp7cR.exe
renamed because original name is a hash value
Original sample name:5D5B594C8415B08D3C1C3051825586BF.exe
Analysis ID:1589286
MD5:5d5b594c8415b08d3c1c3051825586bf
SHA1:5a47230045d9e2e441064a1bb4353c771b86e8bd
SHA256:a4cc67246a0ea59d26443aafec204a48a1ddc57d19de09ac75fe391aed9a2fe5
Tags:exeValleyRATuser-abuse_ch
Infos:

Detection

GhostRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GhostRat
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sleep loop found (likely to delay execution)
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • icivfhp7cR.exe (PID: 7268 cmdline: "C:\Users\user\Desktop\icivfhp7cR.exe" MD5: 5D5B594C8415B08D3C1C3051825586BF)
  • cleanup

Malware Configuration

Threatname: GhostRat

{"C2 url": "192.168.1.200:9999"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.2778764004.0000000004962000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
    00000000.00000003.2145939806.0000000004931000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
      00000000.00000003.2145939806.0000000004962000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
        00000000.00000003.4028302757.0000000001460000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
          00000000.00000003.3811780072.0000000004921000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
            Click to see the 38 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.icivfhp7cR.exe.4962c53.5.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
              0.3.icivfhp7cR.exe.4962c53.3.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                0.2.icivfhp7cR.exe.4962c53.7.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                  0.3.icivfhp7cR.exe.4962c53.34.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                    0.2.icivfhp7cR.exe.49221fb.6.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                      Click to see the 75 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-12T00:32:02.617402+010020528751A Network Trojan was detected192.168.2.54970445.207.211.426666TCP
                      2025-01-12T00:33:13.299460+010020528751A Network Trojan was detected192.168.2.54970545.207.211.426666TCP
                      2025-01-12T00:34:22.049729+010020528751A Network Trojan was detected192.168.2.54998245.207.211.426666TCP
                      2025-01-12T00:35:31.846544+010020528751A Network Trojan was detected192.168.2.54998445.207.211.426666TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: icivfhp7cR.exeAvira: detected
                      Found malware configuration
                      Source: 0.3.icivfhp7cR.exe.4962c53.1.raw.unpackMalware Configuration Extractor: GhostRat {"C2 url": "192.168.1.200:9999"}
                      Multi AV Scanner detection for submitted file
                      Source: icivfhp7cR.exeVirustotal: Detection: 73%Perma Link
                      Source: icivfhp7cR.exeReversingLabs: Detection: 87%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: icivfhp7cR.exeJoe Sandbox ML: detected
                      Source: icivfhp7cR.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: icivfhp7cR.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: z:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: x:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: v:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: t:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: r:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: p:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: n:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: l:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: j:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: h:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: f:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: b:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: y:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: w:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: u:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: s:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: q:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: o:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: m:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: k:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: i:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: g:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: e:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile opened: [:Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035B80F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,0_2_035B80F0

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.5:49704 -> 45.207.211.42:6666
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.5:49705 -> 45.207.211.42:6666
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.5:49982 -> 45.207.211.42:6666
                      Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.5:49984 -> 45.207.211.42:6666
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 192.168.1.200:9999
                      Source: global trafficTCP traffic: 192.168.2.5:49704 -> 45.207.211.42:6666
                      Source: Joe Sandbox ViewASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.207.211.42
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_003B3340 recv,timeGetTime,_memmove,0_2_003B3340

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to capture and log keystrokes
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: [esc]0_2_035BE850
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: [esc]0_2_035BE850
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: [esc]0_2_035BE850
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: [esc]0_2_035BE850
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035BE850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,0_2_035BE850
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035BE850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,0_2_035BE850
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035BBC70 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,0_2_035BBC70
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035BE4F0 Sleep,CreateMutexW,GetLastError,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,0_2_035BE4F0
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035BB463 ExitWindowsEx,0_2_035BB463
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035BB41B ExitWindowsEx,0_2_035BB41B
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035BB43F ExitWindowsEx,0_2_035BB43F
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_003B24B00_2_003B24B0
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_003C0CAE0_2_003C0CAE
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_003C2D610_2_003C2D61
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_003C11FF0_2_003C11FF
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_003C1E2C0_2_003C1E2C
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_003BB6A60_2_003BB6A6
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_003C17500_2_003C1750
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035B6EE00_2_035B6EE0
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035B6C500_2_035B6C50
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035CE3410_2_035CE341
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035C83810_2_035C8381
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035CEA1D0_2_035CEA1D
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035B89000_2_035B8900
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035CF9FF0_2_035CF9FF
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035CD89F0_2_035CD89F
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035CDDF00_2_035CDDF0
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035B24B00_2_035B24B0
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_0344F3BE0_2_0344F3BE
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_0344D25E0_2_0344D25E
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_034382BF0_2_034382BF
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_0343689F0_2_0343689F
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_0344D7AF0_2_0344D7AF
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_03431E6F0_2_03431E6F
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_0343660F0_2_0343660F
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_03447D400_2_03447D40
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_0344DD000_2_0344DD00
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: String function: 03443CBF appears 32 times
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: String function: 035C4300 appears 32 times
                      Source: icivfhp7cR.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@0/1
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035B7B70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,0_2_035B7B70
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035B7740 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,0_2_035B7740
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035B7620 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,0_2_035B7620
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035B6C50 wsprintfW,MultiByteToWideChar,GetDriveTypeW,GetDiskFreeSpaceExW,_memset,GlobalMemoryStatusEx,swprintf,swprintf,0_2_035B6C50
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035B6050 _memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,CloseHandle,0_2_035B6050
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035B6150 wsprintfW,_memset,lstrcatW,lstrcatW,lstrcatW,CoCreateInstance,wsprintfW,RegOpenKeyExW,_memset,wsprintfW,RegOpenKeyExW,_memset,RegQueryValueExW,lstrcatW,lstrcatW,lstrcatW,RegCloseKey,lstrlenW,lstrcatW,0_2_035B6150
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeMutant created: \Sessions\1\BaseNamedObjects\2025. 1. 4
                      Source: icivfhp7cR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: icivfhp7cR.exeVirustotal: Detection: 73%
                      Source: icivfhp7cR.exeReversingLabs: Detection: 87%
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: dinput8.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: inputhost.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: devenum.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: devobj.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: msdmo.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32Jump to behavior
                      Source: icivfhp7cR.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: icivfhp7cR.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: icivfhp7cR.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: icivfhp7cR.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: icivfhp7cR.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: icivfhp7cR.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_003BC52C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_003BC52C
                      Source: icivfhp7cR.exeStatic PE information: real checksum: 0x1d2ad should be: 0x22419
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_003B9EF5 push ecx; ret 0_2_003B9F08
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035C4345 push ecx; ret 0_2_035C4358
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035DA168 push eax; ret 0_2_035DA119
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035DA0B8 push eax; ret 0_2_035DA119
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035D2450 push ebp; retf 0_2_035D2474
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035D2470 push ebp; retf 0_2_035D2474
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_03443D04 push ecx; ret 0_2_03443D17
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035BB3C0 OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog,0_2_035BB3C0
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeKey value created or modified: HKEY_CURRENT_USER\Console\0 d33f351a4aeea5e608853d1a56661059Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeWindow / User API: threadDelayed 3403Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeWindow / User API: threadDelayed 5591Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-38144
                      Source: C:\Users\user\Desktop\icivfhp7cR.exe TID: 7368Thread sleep count: 268 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exe TID: 7392Thread sleep count: 110 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exe TID: 7392Thread sleep time: -110000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exe TID: 7400Thread sleep count: 3403 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exe TID: 7400Thread sleep time: -34030s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exe TID: 7392Thread sleep count: 5591 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exe TID: 7392Thread sleep time: -5591000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeThread sleep count: Count: 3403 delay: -10Jump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035B80F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,0_2_035B80F0
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035B7410 GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,0_2_035B7410
                      Source: icivfhp7cR.exe, 00000000.00000002.4505987200.00000000013CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeAPI call chain: ExitProcess graph end nodegraph_0-38105
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_003B6510 IsDebuggerPresent,0_2_003B6510
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035C054D VirtualProtect ?,-00000001,00000104,?0_2_035C054D
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_003BC52C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_003BC52C
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_034300CD mov eax, dword ptr fs:[00000030h]0_2_034300CD
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_003C42C7 GetProcessHeap,0_2_003C42C7
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_003B6530 SetUnhandledExceptionFilter,GetConsoleWindow,ShowWindow,GetCurrentThreadId,PostThreadMessageA,GetInputState,CreateThread,WaitForSingleObject,CloseHandle,Sleep,0_2_003B6530
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_003B69D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_003B69D5
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_003B8678 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003B8678
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_003BAFAE SetUnhandledExceptionFilter,0_2_003BAFAE
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035BDF10 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,0_2_035BDF10
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035BF00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_035BF00A
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035C1F67 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_035C1F67

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_003B5830 _memset,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,GetThreadContext,SetThreadContext,ResumeThread,0_2_003B5830
                      Contains functionality to inject threads in other processes
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035B77E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,0_2_035B77E0
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe0_2_035B77E0
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe0_2_035B77E0
                      Source: icivfhp7cR.exe, 00000000.00000003.4323125334.00000000049D4000.00000004.00000020.00020000.00000000.sdmp, icivfhp7cR.exe, 00000000.00000003.3811780072.00000000049D4000.00000004.00000020.00020000.00000000.sdmp, icivfhp7cR.exe, 00000000.00000003.4156882302.00000000049D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0 minProgram Manager
                      Source: icivfhp7cR.exe, 00000000.00000003.2145939806.0000000004962000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .168.2.5 0 min226546Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free3 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
                      Source: icivfhp7cR.exe, 00000000.00000002.4506815713.00000000049D4000.00000004.00000020.00020000.00000000.sdmp, icivfhp7cR.exe, 00000000.00000003.4490763455.00000000049D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inProgram ManagerAA>
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,0_2_035B5430
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_003BB587 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_003BB587
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035C5D22 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,SetOaNoCache,0_2_035C5D22
                      Source: C:\Users\user\Desktop\icivfhp7cR.exeCode function: 0_2_035B6A70 wsprintfW,GetCurrentProcessId,wsprintfW,_memset,GetVersionExW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,wsprintfW,0_2_035B6A70
                      Source: icivfhp7cR.exeBinary or memory string: acs.exe
                      Source: icivfhp7cR.exeBinary or memory string: vsserv.exe
                      Source: icivfhp7cR.exeBinary or memory string: kxetray.exe
                      Source: icivfhp7cR.exeBinary or memory string: avcenter.exe
                      Source: icivfhp7cR.exeBinary or memory string: KSafeTray.exe
                      Source: icivfhp7cR.exeBinary or memory string: cfp.exe
                      Source: icivfhp7cR.exeBinary or memory string: avp.exe
                      Source: icivfhp7cR.exeBinary or memory string: 360Safe.exe
                      Source: icivfhp7cR.exeBinary or memory string: rtvscan.exe
                      Source: icivfhp7cR.exeBinary or memory string: 360tray.exe
                      Source: icivfhp7cR.exeBinary or memory string: ashDisp.exe
                      Source: icivfhp7cR.exeBinary or memory string: TMBMSRV.exe
                      Source: icivfhp7cR.exeBinary or memory string: 360Tray.exe
                      Source: icivfhp7cR.exeBinary or memory string: avgwdsvc.exe
                      Source: icivfhp7cR.exeBinary or memory string: AYAgent.aye
                      Source: icivfhp7cR.exeBinary or memory string: RavMonD.exe
                      Source: icivfhp7cR.exeBinary or memory string: QUHLPSVC.EXE
                      Source: icivfhp7cR.exeBinary or memory string: Mcshield.exe
                      Source: icivfhp7cR.exeBinary or memory string: K7TSecurity.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected GhostRat
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.4962c53.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.34.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.49221fb.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.14619f3.31.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.36.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.31d1004.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.145e82b.24.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.34305bf.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.27.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.38.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.14327cb.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.49221fb.32.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.4c21fbb.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.36.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.142fd8b.30.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.4bf05eb.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.49221fb.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.38.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.3371053.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.4962c53.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.14327cb.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.35b0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.3371053.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.19.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.145e82b.24.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.27.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.14619f3.33.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.4c21fbb.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.49221fb.37.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.145e82b.26.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.49221fb.25.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.34.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.145e82b.26.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.39.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.4bf05eb.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.35b0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.29.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.49221fb.28.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.14619f3.33.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.39.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.49221fb.17.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.14619f3.31.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.142cbc3.23.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.145e82b.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.31d1004.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.142cbc3.23.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.29.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.145e82b.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.49221fb.21.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.34305bf.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.49221fb.35.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.2778764004.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2145939806.0000000004931000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2145939806.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.4028302757.0000000001460000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3811780072.0000000004921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2429753914.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3294000150.00000000048FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3459082017.0000000004921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3811780072.0000000004954000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.4323125334.0000000004955000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.4156778530.0000000004954000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3459250931.0000000004955000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3294094546.0000000004955000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3154380912.0000000001433000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2778821308.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3459082017.0000000004954000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.4156882302.0000000004955000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4506380529.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3681416095.000000000145D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2267187755.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3988021581.000000000142F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4506791931.0000000004961000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2267123910.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2130764854.0000000001401000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2937923229.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.4322403992.0000000004954000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2937817588.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2429710442.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3641171755.000000000142C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2606746078.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.4156778530.0000000004921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3811897303.0000000004955000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3641279974.00000000048F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2606883133.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3294000150.0000000004954000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3988147912.00000000048F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4506754022.0000000004921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.4322403992.0000000004921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4506448003.0000000003370000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4506886003.0000000004BF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: icivfhp7cR.exe PID: 7268, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected GhostRat
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.4962c53.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.34.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.49221fb.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.14619f3.31.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.36.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.31d1004.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.145e82b.24.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.34305bf.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.27.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.38.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.14327cb.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.49221fb.32.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.4c21fbb.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.36.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.142fd8b.30.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.4bf05eb.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.49221fb.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.38.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.3371053.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.4962c53.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.14327cb.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.35b0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.3371053.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.19.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.145e82b.24.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.27.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.14619f3.33.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.4c21fbb.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.49221fb.37.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.145e82b.26.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.49221fb.25.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.34.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.145e82b.26.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.39.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.4bf05eb.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.35b0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.29.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.49221fb.28.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.14619f3.33.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.39.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.49221fb.17.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.14619f3.31.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.142cbc3.23.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.145e82b.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.31d1004.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.142cbc3.23.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.29.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.145e82b.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.49221fb.21.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.icivfhp7cR.exe.34305bf.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.4962c53.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.icivfhp7cR.exe.49221fb.35.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.2778764004.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2145939806.0000000004931000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2145939806.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.4028302757.0000000001460000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3811780072.0000000004921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2429753914.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3294000150.00000000048FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3459082017.0000000004921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3811780072.0000000004954000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.4323125334.0000000004955000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.4156778530.0000000004954000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3459250931.0000000004955000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3294094546.0000000004955000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3154380912.0000000001433000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2778821308.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3459082017.0000000004954000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.4156882302.0000000004955000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4506380529.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3681416095.000000000145D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2267187755.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3988021581.000000000142F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4506791931.0000000004961000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2267123910.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2130764854.0000000001401000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2937923229.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.4322403992.0000000004954000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2937817588.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2429710442.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3641171755.000000000142C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2606746078.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.4156778530.0000000004921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3811897303.0000000004955000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3641279974.00000000048F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2606883133.0000000004962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3294000150.0000000004954000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3988147912.00000000048F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4506754022.0000000004921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.4322403992.0000000004921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4506448003.0000000003370000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4506886003.0000000004BF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: icivfhp7cR.exe PID: 7268, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire Infrastructure1
                      Replication Through Removable Media                      		1
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		121
                      Input Capture                      		2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      Access Token Manipulation                      		1
                      Deobfuscate/Decode Files or Information                      		LSASS Memory11
                      Peripheral Device Discovery                      		Remote Desktop Protocol1
                      Screen Capture                      		1
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)211
                      Process Injection                      		2
                      Obfuscated Files or Information                      		Security Account Manager1
                      File and Directory Discovery                      		SMB/Windows Admin Shares121
                      Input Capture                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      DLL Side-Loading                      		NTDS16
                      System Information Discovery                      		Distributed Component Object Model2
                      Clipboard Data                      		1
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Modify Registry                      		LSA Secrets31
                      Security Software Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials2
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Access Token Manipulation                      		DCSync3
                      Process Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job211
                      Process Injection                      		Proc Filesystem1
                      Application Window Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Indicator Removal                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      icivfhp7cR.exe73%VirustotalBrowse
                      icivfhp7cR.exe88%ReversingLabsWin32.Trojan.FatalRAT
                      icivfhp7cR.exe100%AviraTR/Crypt.XPACK.Gen7
                      icivfhp7cR.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      192.168.1.200:99990%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      192.168.1.200:9999true
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      45.207.211.42
                      		unknownSeychelles
                      		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue

                      General Information

                      Joe Sandbox version:42.0.0 Malachite
                      Analysis ID:1589286
                      Start date and time:2025-01-12 00:31:09 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 7m 38s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:4
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:icivfhp7cR.exe
                      renamed because original name is a hash value
                      Original Sample Name:5D5B594C8415B08D3C1C3051825586BF.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@1/0@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 67
                      • Number of non-executed functions: 164
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                      • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Report size getting too big, too many NtEnumerateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      18:32:37API Interceptor4085937x Sleep call for process: icivfhp7cR.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      SKHT-ASShenzhenKatherineHengTechnologyInformationCo6.elfGet hashmaliciousUnknownBrowse
                      • 154.211.34.18
                      wind.mpsl.elfGet hashmaliciousMiraiBrowse
                      • 154.216.16.103
                      wind.arm.elfGet hashmaliciousMiraiBrowse
                      • 154.216.16.103
                      wind.x86.elfGet hashmaliciousMiraiBrowse
                      • 154.216.16.103
                      wind.ppc.elfGet hashmaliciousMiraiBrowse
                      • 154.216.16.103
                      wind.mips.elfGet hashmaliciousMiraiBrowse
                      • 154.216.16.103
                      wind.sh4.elfGet hashmaliciousMiraiBrowse
                      • 154.216.16.103
                      wind.m68k.elfGet hashmaliciousMiraiBrowse
                      • 154.216.16.103
                      https://199.188.109.181Get hashmaliciousUnknownBrowse
                      • 45.207.231.119
                      wind.x86.elfGet hashmaliciousMiraiBrowse
                      • 154.216.19.169

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):6.290239033745102
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:icivfhp7cR.exe
                      File size:111'104 bytes
                      MD5:5d5b594c8415b08d3c1c3051825586bf
                      SHA1:5a47230045d9e2e441064a1bb4353c771b86e8bd
                      SHA256:a4cc67246a0ea59d26443aafec204a48a1ddc57d19de09ac75fe391aed9a2fe5
                      SHA512:8c2cbdf22de1c20186916f1a066522ed2b87ccbe184cbfb7f9282a1456a83747002135292251f725fcc993557da16fb7a4de15895f181b6969753c940c86dd60
                      SSDEEP:3072:ybWjdIPbcia0NFtwwnILn3py6D268XEPKoXe2:ybWjMbcCtwwnchx1yoX
                      TLSH:BFB37B2172A0C072C092253199F9EBB25E7EF93117B844CBB7E416BA5F603C16E7539B
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A..m/N.m/N.m/N...N.m/N...N.m/N...N.m/N...N.m/N.m.N)m/N...N.m/N...N.m/NRich.m/N........................PE..L.....ld...........

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0x407903
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Time Stamp:0x646C86E3 [Tue May 23 09:26:59 2023 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:b8bf08fa843a9ec1ce10d80fbf550c26

                      Entrypoint Preview

                      Instruction
                      call 00007FC055088674h
                      jmp 00007FC05508488Ah
                      mov edi, edi
                      push ebp
                      mov ebp, esp
                      sub esp, 20h
                      mov eax, dword ptr [ebp+08h]
                      push esi
                      push edi
                      push 00000008h
                      pop ecx
                      mov esi, 0041532Ch
                      lea edi, dword ptr [ebp-20h]
                      rep movsd
                      mov dword ptr [ebp-08h], eax
                      mov eax, dword ptr [ebp+0Ch]
                      pop edi
                      mov dword ptr [ebp-04h], eax
                      pop esi
                      test eax, eax
                      je 00007FC0550849FEh
                      test byte ptr [eax], 00000008h
                      je 00007FC0550849F9h
                      mov dword ptr [ebp-0Ch], 01994000h
                      lea eax, dword ptr [ebp-0Ch]
                      push eax
                      push dword ptr [ebp-10h]
                      push dword ptr [ebp-1Ch]
                      push dword ptr [ebp-20h]
                      call dword ptr [00415174h]
                      leave
                      retn 0008h
                      mov edi, edi
                      push ebp
                      mov ebp, esp
                      sub esp, 00000328h
                      mov dword ptr [0041AC90h], eax
                      mov dword ptr [0041AC8Ch], ecx
                      mov dword ptr [0041AC88h], edx
                      mov dword ptr [0041AC84h], ebx
                      mov dword ptr [0041AC80h], esi
                      mov dword ptr [0041AC7Ch], edi
                      mov word ptr [0041ACA8h], ss
                      mov word ptr [0041AC9Ch], cs
                      mov word ptr [0041AC78h], ds
                      mov word ptr [0041AC74h], es
                      mov word ptr [0041AC70h], fs
                      mov word ptr [0041AC6Ch], gs
                      pushfd
                      pop dword ptr [0041ACA0h]
                      mov eax, dword ptr [ebp+00h]
                      mov dword ptr [0041AC94h], eax
                      mov eax, dword ptr [ebp+04h]
                      mov dword ptr [0041AC98h], eax
                      lea eax, dword ptr [ebp+08h]

                      Rich Headers

                      Programming Language:
                      • [ASM] VS2010 build 30319
                      • [ C ] VS2010 build 30319
                      • [C++] VS2010 build 30319
                      • [IMP] VS2008 SP1 build 30729
                      • [LNK] VS2010 build 30319

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x181740x78.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1f0000x1b4.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000x10a0.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x177a00x40.rdata
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x150000x220.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x133390x1340091e72b671ecf3a4b690e7f91665b69bbFalse0.5876242897727273data6.608277772364224IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x150000x3c9e0x3e0083a200fd1e7a04d5a3e20b666438becfFalse0.36038306451612906data4.913120874367418IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0x190000x5be80x1c005715a881ee8f0b84b16742d92b85e319False0.26395089285714285data2.937575005001934IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0x1f0000x1b40x200c2d6c399730fd89b16d2b6d6cec5e393False0.490234375data5.105006099278344IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x200000x1dda0x1e00609739ae7d4ef71127d78660b5c20026False0.46640625data4.555306022928181IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_MANIFEST0x1f0580x15aASCII text, with CRLF line terminatorsEnglishUnited States0.5491329479768786

                      Imports

                      DLLImport
                      KERNEL32.dllInitializeCriticalSectionAndSpinCount, HeapDestroy, LeaveCriticalSection, HeapCreate, EnterCriticalSection, DeleteCriticalSection, WaitForSingleObject, SetEvent, Sleep, CreateEventA, GetLastError, CloseHandle, GetCurrentThreadId, SwitchToThread, SetLastError, WideCharToMultiByte, lstrlenW, InterlockedExchange, ResetEvent, CreateEventW, CancelIo, TryEnterCriticalSection, SetWaitableTimer, CreateWaitableTimerW, GetThreadContext, InterlockedCompareExchange, OpenProcess, GetFileAttributesA, GetExitCodeProcess, CreateProcessA, GetSystemDirectoryA, VirtualAllocEx, WriteProcessMemory, ResumeThread, FreeLibrary, SetUnhandledExceptionFilter, GetCurrentProcess, LoadLibraryW, GetConsoleWindow, CreateFileW, GetProcAddress, GetLocalTime, IsDebuggerPresent, GetCurrentProcessId, CreateThread, LCMapStringW, WriteConsoleW, SetStdHandle, GetStringTypeW, MultiByteToWideChar, HeapFree, InterlockedDecrement, InterlockedIncrement, HeapAlloc, VirtualAlloc, SetThreadContext, VirtualFree, IsValidCodePage, FlushFileBuffers, GetOEMCP, GetACP, GetCPInfo, GetConsoleMode, GetConsoleCP, SetFilePointer, RtlUnwind, GetSystemTimeAsFileTime, GetTickCount, QueryPerformanceCounter, GetStartupInfoW, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, HeapReAlloc, HeapSize, GetProcessHeap, ExitThread, DecodePointer, EncodePointer, GetCommandLineW, HeapSetInformation, RaiseException, TerminateProcess, UnhandledExceptionFilter, IsProcessorFeaturePresent, GetModuleHandleW, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW
                      USER32.dllDispatchMessageW, PostThreadMessageA, PeekMessageW, TranslateMessage, MsgWaitForMultipleObjects, ShowWindow, GetInputState, wsprintfW
                      ADVAPI32.dllRegCloseKey, RegOpenKeyExW, RegDeleteValueW, RegQueryValueExW, RegCreateKeyW, RegSetValueExW
                      WS2_32.dllWSAWaitForMultipleEvents, WSAIoctl, connect, WSAStartup, select, WSAResetEvent, setsockopt, WSACleanup, recv, socket, closesocket, send, WSASetLastError, WSACreateEvent, shutdown, WSAEventSelect, WSAEnumNetworkEvents, WSAGetLastError, WSACloseEvent, htons, gethostbyname
                      WINMM.dlltimeGetTime

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2025-01-12T00:32:02.617402+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.54970445.207.211.426666TCP
                      2025-01-12T00:33:13.299460+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.54970545.207.211.426666TCP
                      2025-01-12T00:34:22.049729+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.54998245.207.211.426666TCP
                      2025-01-12T00:35:31.846544+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.54998445.207.211.426666TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jan 12, 2025 00:32:02.209475994 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:02.616400957 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:02.616504908 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:02.617402077 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:02.622201920 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:03.491103888 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:03.491549015 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:03.497956991 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:03.497987032 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:03.498013973 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:03.809926987 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:03.809988022 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:03.810040951 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:03.810044050 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:03.810076952 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:03.810113907 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:03.810123920 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:03.810148001 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:03.810189962 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:03.810199976 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:03.810233116 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:03.810267925 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:03.810276985 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:03.810305119 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:03.810353041 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:03.810795069 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:03.816987038 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:03.817034960 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.023031950 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.023056984 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.023073912 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.023088932 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.023108006 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.023185968 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.023323059 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.023349047 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.023366928 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.023382902 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.023423910 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.023478985 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.024405003 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.024420977 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.024446964 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.024468899 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.024499893 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.024552107 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.024800062 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.024816036 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.024831057 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.024862051 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.025887012 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.025903940 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.025919914 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.025942087 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.025963068 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.025985956 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.026001930 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.026040077 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.026360035 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.026376009 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.026418924 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.029700041 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.029761076 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.029804945 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.109448910 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.109512091 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.109628916 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.240940094 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.241012096 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.241066933 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.241089106 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.241106033 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.241143942 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.241148949 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.241177082 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.241209984 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.241214991 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.241247892 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.241286039 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.241292000 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.241316080 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.241358042 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.241503954 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.241538048 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.241573095 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.241576910 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.241606951 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.241647959 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.241653919 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.241683006 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.241724968 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.242054939 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.242089987 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.242136955 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.244122028 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.244174004 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.244209051 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.244247913 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.244254112 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.244281054 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.244297981 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.244317055 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.244360924 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.244381905 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.244420052 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.244452953 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.244462967 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.244977951 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.245026112 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.245026112 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.245064020 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.245098114 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.245104074 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.247018099 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.247072935 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.247083902 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.247200012 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.247235060 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.247246027 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.247288942 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.247347116 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.247354984 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.247392893 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.247435093 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.247709990 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.247742891 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.247777939 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.247792006 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.248017073 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.248049974 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.248065948 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.248085976 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.248119116 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.248126030 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.248152971 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.248198986 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.248449087 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.248481989 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.248526096 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.250694036 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.250749111 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.250793934 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.250840902 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.250875950 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.250910997 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.250926018 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.299458027 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.327342987 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.327387094 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.327428102 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.458532095 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.458580971 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.458690882 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.458724976 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.458729029 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.458765030 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.458781958 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.458817005 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.458853006 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.459295034 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.459372997 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.459408045 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.459414005 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.459441900 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.459477901 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.459491968 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.459525108 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.459559917 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.459561110 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.459610939 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.459642887 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.459651947 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.459677935 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.459709883 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.459713936 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.459744930 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.459784031 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.459950924 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.459985971 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.460024118 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.460042000 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.460092068 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.460127115 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.460128069 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.460160971 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.460196018 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.460196972 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.460227013 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.460261106 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.460263014 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.460294962 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.460330009 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.460330009 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.464715958 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.464730978 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.464746952 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.464761019 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.464776039 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.464776993 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.464806080 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.464839935 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.464842081 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.464854956 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.464870930 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.464891911 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.464970112 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.464984894 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.465002060 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.465008974 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.465014935 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.465039968 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.465164900 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.465179920 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.465194941 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.465209961 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.465234995 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.467617989 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.467632055 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.467647076 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.467664003 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.467669964 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.467681885 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.467700005 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.467772961 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.467786074 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.467814922 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.467967987 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.467991114 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.468005896 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.468020916 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.468029976 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.468039036 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.468054056 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.468060017 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.468084097 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.468084097 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.468122005 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.468231916 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.468247890 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.468280077 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.470755100 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.470773935 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.470794916 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.470807076 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.470814943 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.470848083 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.470865011 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.470885038 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.470885038 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.470897913 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.470992088 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.471026897 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.471077919 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.471081972 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.471092939 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.471139908 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.471278906 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.471297026 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.471322060 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.471327066 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.471358061 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.471375942 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.471386909 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.471424103 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.471534967 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.471553087 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.471576929 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.471596956 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.471687078 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.471689939 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.471699953 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.471725941 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.471740007 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.471751928 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.471772909 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.471791983 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.471812010 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.471899986 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.471935987 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.471975088 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.471993923 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.472013950 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.472026110 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.518091917 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.545058012 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.545129061 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.545185089 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.545217991 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.545243025 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.545254946 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.545289993 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.545295000 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.545325994 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.545358896 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.545393944 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.545408964 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.545449972 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.545469999 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.545486927 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.545517921 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.545838118 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.545871973 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.545886040 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:04.545907021 CET66664970445.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:04.545944929 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:05.597917080 CET497056666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:05.604352951 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:05.604437113 CET497056666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:07.565243006 CET497046666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:11.129785061 CET497056666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:11.134828091 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:11.134849072 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:11.134857893 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:11.134887934 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:11.653475046 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:11.653860092 CET497056666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:11.658797026 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:22.877579927 CET497056666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:22.883683920 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:23.184046030 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:23.236874104 CET497056666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:23.260335922 CET497056666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:23.265244007 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:39.158849001 CET497056666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:39.163688898 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:39.464087963 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:39.515619040 CET497056666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:39.520386934 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:56.815279961 CET497056666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:56.821742058 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:57.122168064 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:32:57.174402952 CET497056666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:57.230159998 CET497056666192.168.2.545.207.211.42
                      Jan 12, 2025 00:32:57.234971046 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:33:13.299459934 CET497056666192.168.2.545.207.211.42
                      Jan 12, 2025 00:33:13.304464102 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:33:14.314932108 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:33:14.361924887 CET497056666192.168.2.545.207.211.42
                      Jan 12, 2025 00:33:14.424027920 CET497056666192.168.2.545.207.211.42
                      Jan 12, 2025 00:33:14.429006100 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:33:29.893276930 CET497056666192.168.2.545.207.211.42
                      Jan 12, 2025 00:33:29.898673058 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:33:30.199382067 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:33:30.337361097 CET497056666192.168.2.545.207.211.42
                      Jan 12, 2025 00:33:30.343487024 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:33:45.987159014 CET497056666192.168.2.545.207.211.42
                      Jan 12, 2025 00:33:45.987256050 CET497056666192.168.2.545.207.211.42
                      Jan 12, 2025 00:33:45.992141008 CET66664970545.207.211.42192.168.2.5
                      Jan 12, 2025 00:33:45.992187977 CET497056666192.168.2.545.207.211.42
                      Jan 12, 2025 00:33:47.938822031 CET499826666192.168.2.545.207.211.42
                      Jan 12, 2025 00:33:47.945768118 CET66664998245.207.211.42192.168.2.5
                      Jan 12, 2025 00:33:47.945843935 CET499826666192.168.2.545.207.211.42
                      Jan 12, 2025 00:33:53.273312092 CET499826666192.168.2.545.207.211.42
                      Jan 12, 2025 00:33:53.279596090 CET66664998245.207.211.42192.168.2.5
                      Jan 12, 2025 00:33:53.279617071 CET66664998245.207.211.42192.168.2.5
                      Jan 12, 2025 00:33:53.279624939 CET66664998245.207.211.42192.168.2.5
                      Jan 12, 2025 00:33:53.281222105 CET66664998245.207.211.42192.168.2.5
                      Jan 12, 2025 00:33:53.815268040 CET66664998245.207.211.42192.168.2.5
                      Jan 12, 2025 00:33:53.815526009 CET499826666192.168.2.545.207.211.42
                      Jan 12, 2025 00:33:53.822148085 CET66664998245.207.211.42192.168.2.5
                      Jan 12, 2025 00:34:05.549592972 CET499826666192.168.2.545.207.211.42
                      Jan 12, 2025 00:34:05.556436062 CET66664998245.207.211.42192.168.2.5
                      Jan 12, 2025 00:34:05.867937088 CET66664998245.207.211.42192.168.2.5
                      Jan 12, 2025 00:34:05.941131115 CET499826666192.168.2.545.207.211.42
                      Jan 12, 2025 00:34:05.949804068 CET499826666192.168.2.545.207.211.42
                      Jan 12, 2025 00:34:05.956423044 CET66664998245.207.211.42192.168.2.5
                      Jan 12, 2025 00:34:22.049729109 CET499826666192.168.2.545.207.211.42
                      Jan 12, 2025 00:34:22.057703018 CET66664998245.207.211.42192.168.2.5
                      Jan 12, 2025 00:34:22.368570089 CET66664998245.207.211.42192.168.2.5
                      Jan 12, 2025 00:34:22.408849001 CET499826666192.168.2.545.207.211.42
                      Jan 12, 2025 00:34:22.466021061 CET499826666192.168.2.545.207.211.42
                      Jan 12, 2025 00:34:22.473155022 CET66664998245.207.211.42192.168.2.5
                      Jan 12, 2025 00:34:38.705838919 CET499826666192.168.2.545.207.211.42
                      Jan 12, 2025 00:34:38.705884933 CET499826666192.168.2.545.207.211.42
                      Jan 12, 2025 00:34:38.710735083 CET66664998245.207.211.42192.168.2.5
                      Jan 12, 2025 00:34:38.710825920 CET499826666192.168.2.545.207.211.42
                      Jan 12, 2025 00:34:40.644197941 CET499836666192.168.2.545.207.211.42
                      Jan 12, 2025 00:34:40.650897026 CET66664998345.207.211.42192.168.2.5
                      Jan 12, 2025 00:34:40.651139975 CET499836666192.168.2.545.207.211.42
                      Jan 12, 2025 00:34:45.737596035 CET499836666192.168.2.545.207.211.42
                      Jan 12, 2025 00:34:45.744081020 CET66664998345.207.211.42192.168.2.5
                      Jan 12, 2025 00:34:45.744097948 CET66664998345.207.211.42192.168.2.5
                      Jan 12, 2025 00:34:45.744113922 CET66664998345.207.211.42192.168.2.5
                      Jan 12, 2025 00:34:45.745922089 CET66664998345.207.211.42192.168.2.5
                      Jan 12, 2025 00:34:46.056915045 CET66664998345.207.211.42192.168.2.5
                      Jan 12, 2025 00:34:46.060376883 CET499836666192.168.2.545.207.211.42
                      Jan 12, 2025 00:34:46.066499949 CET66664998345.207.211.42192.168.2.5
                      Jan 12, 2025 00:34:57.346817970 CET499836666192.168.2.545.207.211.42
                      Jan 12, 2025 00:34:57.353676081 CET66664998345.207.211.42192.168.2.5
                      Jan 12, 2025 00:34:57.660867929 CET66664998345.207.211.42192.168.2.5
                      Jan 12, 2025 00:34:57.705790997 CET499836666192.168.2.545.207.211.42
                      Jan 12, 2025 00:34:57.731971979 CET499836666192.168.2.545.207.211.42
                      Jan 12, 2025 00:34:57.739262104 CET66664998345.207.211.42192.168.2.5
                      Jan 12, 2025 00:35:13.393342972 CET499836666192.168.2.545.207.211.42
                      Jan 12, 2025 00:35:13.393342972 CET499836666192.168.2.545.207.211.42
                      Jan 12, 2025 00:35:13.398256063 CET66664998345.207.211.42192.168.2.5
                      Jan 12, 2025 00:35:13.400279999 CET499836666192.168.2.545.207.211.42
                      Jan 12, 2025 00:35:15.331572056 CET499846666192.168.2.545.207.211.42
                      Jan 12, 2025 00:35:15.336832047 CET66664998445.207.211.42192.168.2.5
                      Jan 12, 2025 00:35:15.337022066 CET499846666192.168.2.545.207.211.42
                      Jan 12, 2025 00:35:20.525526047 CET499846666192.168.2.545.207.211.42
                      Jan 12, 2025 00:35:20.530930042 CET66664998445.207.211.42192.168.2.5
                      Jan 12, 2025 00:35:20.530946970 CET66664998445.207.211.42192.168.2.5
                      Jan 12, 2025 00:35:20.530956984 CET66664998445.207.211.42192.168.2.5
                      Jan 12, 2025 00:35:20.530961037 CET66664998445.207.211.42192.168.2.5
                      Jan 12, 2025 00:35:20.840488911 CET66664998445.207.211.42192.168.2.5
                      Jan 12, 2025 00:35:20.844594002 CET499846666192.168.2.545.207.211.42
                      Jan 12, 2025 00:35:20.851454020 CET66664998445.207.211.42192.168.2.5
                      Jan 12, 2025 00:35:31.846544027 CET499846666192.168.2.545.207.211.42
                      Jan 12, 2025 00:35:31.854551077 CET66664998445.207.211.42192.168.2.5
                      Jan 12, 2025 00:35:32.159571886 CET66664998445.207.211.42192.168.2.5
                      Jan 12, 2025 00:35:32.221405029 CET499846666192.168.2.545.207.211.42
                      Jan 12, 2025 00:35:32.229444027 CET499846666192.168.2.545.207.211.42
                      Jan 12, 2025 00:35:32.234277964 CET66664998445.207.211.42192.168.2.5
                      Jan 12, 2025 00:35:48.253034115 CET499846666192.168.2.545.207.211.42
                      Jan 12, 2025 00:35:48.259377003 CET66664998445.207.211.42192.168.2.5
                      Jan 12, 2025 00:35:48.564326048 CET66664998445.207.211.42192.168.2.5
                      Jan 12, 2025 00:35:48.612222910 CET499846666192.168.2.545.207.211.42
                      Jan 12, 2025 00:35:48.905365944 CET499846666192.168.2.545.207.211.42
                      Jan 12, 2025 00:35:48.912580967 CET66664998445.207.211.42192.168.2.5
                      Jan 12, 2025 00:36:05.612207890 CET499846666192.168.2.545.207.211.42
                      Jan 12, 2025 00:36:05.612252951 CET499846666192.168.2.545.207.211.42
                      Jan 12, 2025 00:36:05.619772911 CET66664998445.207.211.42192.168.2.5
                      Jan 12, 2025 00:36:05.619847059 CET499846666192.168.2.545.207.211.42
                      Jan 12, 2025 00:36:07.690538883 CET499856666192.168.2.545.207.211.42
                      Jan 12, 2025 00:36:07.696784973 CET66664998545.207.211.42192.168.2.5
                      Jan 12, 2025 00:36:07.696871996 CET499856666192.168.2.545.207.211.42

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:18:31:59
                      Start date:11/01/2025
                      Path:C:\Users\user\Desktop\icivfhp7cR.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\icivfhp7cR.exe"
                      Imagebase:0x3b0000
                      File size:111'104 bytes
                      MD5 hash:5D5B594C8415B08D3C1C3051825586BF
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2778764004.0000000004962000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2145939806.0000000004931000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2145939806.0000000004962000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.4028302757.0000000001460000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3811780072.0000000004921000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2429753914.0000000004962000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3294000150.00000000048FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3459082017.0000000004921000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3811780072.0000000004954000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.4323125334.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.4156778530.0000000004954000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3459250931.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3294094546.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3154380912.0000000001433000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2778821308.0000000004962000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3459082017.0000000004954000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.4156882302.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.4506380529.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3681416095.000000000145D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2267187755.0000000004962000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3988021581.000000000142F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.4506791931.0000000004961000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2267123910.0000000004962000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2130764854.0000000001401000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2937923229.0000000004962000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.4322403992.0000000004954000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2937817588.0000000004962000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2429710442.0000000004962000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3641171755.000000000142C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2606746078.0000000004962000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.4156778530.0000000004921000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3811897303.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3641279974.00000000048F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.2606883133.0000000004962000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3294000150.0000000004954000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.3988147912.00000000048F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.4506754022.0000000004921000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000003.4322403992.0000000004921000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.4506448003.0000000003370000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.4506886003.0000000004BF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:false

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:6.2%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:0.8%
                        Total number of Nodes:396
                        Total number of Limit Nodes:20
                        execution_graph 37655 3b77a2 37656 3b77ae ___BuildCatchObject 37655->37656 37657 3b77b8 HeapSetInformation 37656->37657 37658 3b77c3 37656->37658 37657->37658 37692 3b811b HeapCreate 37658->37692 37660 3b7811 37661 3b781c 37660->37661 37769 3b7779 66 API calls 3 library calls 37660->37769 37693 3b9bea GetModuleHandleW 37661->37693 37664 3b7822 37665 3b782d __RTC_Initialize 37664->37665 37770 3b7779 66 API calls 3 library calls 37664->37770 37718 3bb2f6 GetStartupInfoW 37665->37718 37669 3b7847 GetCommandLineW 37731 3bb29e GetEnvironmentStringsW 37669->37731 37673 3b7857 37738 3bb1f0 GetModuleFileNameW 37673->37738 37676 3b786c 37744 3bafbe 37676->37744 37679 3b7872 37680 3b787d 37679->37680 37773 3b8406 66 API calls 3 library calls 37679->37773 37758 3b81e5 37680->37758 37683 3b7885 37684 3b7890 37683->37684 37774 3b8406 66 API calls 3 library calls 37683->37774 37766 3b6530 6 API calls 37684->37766 37687 3b78ad 37688 3b78be 37687->37688 37775 3b83bc 66 API calls _doexit 37687->37775 37776 3b83e8 66 API calls _doexit 37688->37776 37691 3b78c3 ___BuildCatchObject 37692->37660 37694 3b9bfe 37693->37694 37695 3b9c07 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37693->37695 37777 3b98c9 70 API calls _free 37694->37777 37697 3b9c51 TlsAlloc 37695->37697 37700 3b9c9f TlsSetValue 37697->37700 37701 3b9d60 37697->37701 37698 3b9c03 37698->37664 37700->37701 37702 3b9cb0 37700->37702 37701->37664 37778 3b818e EncodePointer EncodePointer __init_pointers __initp_misc_winsig FindHandlerForForeignException 37702->37778 37704 3b9cb5 EncodePointer EncodePointer EncodePointer EncodePointer 37779 3bc006 InitializeCriticalSectionAndSpinCount 37704->37779 37706 3b9cf4 37707 3b9d5b 37706->37707 37708 3b9cf8 DecodePointer 37706->37708 37799 3b98c9 70 API calls _free 37707->37799 37710 3b9d0d 37708->37710 37710->37707 37780 3ba0e4 37710->37780 37713 3b9d2b DecodePointer 37714 3b9d3c 37713->37714 37714->37707 37715 3b9d40 37714->37715 37786 3b9906 37715->37786 37717 3b9d48 GetCurrentThreadId 37717->37701 37719 3ba0e4 __calloc_crt 66 API calls 37718->37719 37721 3bb314 37719->37721 37720 3b783b 37720->37669 37771 3b8406 66 API calls 3 library calls 37720->37771 37721->37720 37723 3ba0e4 __calloc_crt 66 API calls 37721->37723 37725 3bb489 37721->37725 37729 3bb409 37721->37729 37722 3bb4bf GetStdHandle 37722->37725 37723->37721 37724 3bb523 SetHandleCount 37724->37720 37725->37722 37725->37724 37726 3bb4d1 GetFileType 37725->37726 37730 3bb4f7 InitializeCriticalSectionAndSpinCount 37725->37730 37726->37725 37727 3bb440 InitializeCriticalSectionAndSpinCount 37727->37720 37727->37729 37728 3bb435 GetFileType 37728->37727 37728->37729 37729->37725 37729->37727 37729->37728 37730->37720 37730->37725 37732 3bb2af 37731->37732 37733 3bb2b3 37731->37733 37732->37673 37841 3ba09f 66 API calls _malloc 37733->37841 37736 3bb2d5 37737 3bb2dc FreeEnvironmentStringsW 37736->37737 37737->37673 37739 3bb225 _wparse_cmdline 37738->37739 37740 3b7861 37739->37740 37741 3bb262 37739->37741 37740->37676 37772 3b8406 66 API calls 3 library calls 37740->37772 37842 3ba09f 66 API calls _malloc 37741->37842 37743 3bb268 _wparse_cmdline 37743->37740 37745 3bafd6 _wcslen 37744->37745 37749 3bafce 37744->37749 37746 3ba0e4 __calloc_crt 66 API calls 37745->37746 37752 3baffa _wcslen 37746->37752 37747 3bb050 37844 3b7009 66 API calls 2 library calls 37747->37844 37749->37679 37750 3ba0e4 __calloc_crt 66 API calls 37750->37752 37751 3bb076 37845 3b7009 66 API calls 2 library calls 37751->37845 37752->37747 37752->37749 37752->37750 37752->37751 37755 3bb08d 37752->37755 37843 3b7228 66 API calls wcstoxl 37752->37843 37846 3b87a1 10 API calls __call_reportfault 37755->37846 37757 3bb099 37757->37679 37760 3b81f3 __IsNonwritableInCurrentImage 37758->37760 37847 3bc3b6 37760->37847 37761 3b8211 __initterm_e 37764 3b8252 __IsNonwritableInCurrentImage 37761->37764 37850 3b75a9 37761->37850 37763 3b8232 37763->37764 37853 3c4280 37763->37853 37764->37683 37895 3b5e40 37766->37895 37769->37661 37770->37665 37775->37688 37776->37691 37777->37698 37778->37704 37779->37706 37781 3ba0ed 37780->37781 37783 3b9d23 37781->37783 37784 3ba10b Sleep 37781->37784 37800 3be595 37781->37800 37783->37707 37783->37713 37785 3ba120 37784->37785 37785->37781 37785->37783 37811 3b9eb0 37786->37811 37788 3b9912 GetModuleHandleW 37812 3bc180 37788->37812 37790 3b9950 InterlockedIncrement 37819 3b99a8 37790->37819 37793 3bc180 __lock 64 API calls 37794 3b9971 37793->37794 37822 3bdebf InterlockedIncrement 37794->37822 37796 3b998f 37834 3b99b1 37796->37834 37798 3b999c ___BuildCatchObject 37798->37717 37799->37701 37801 3be5a1 37800->37801 37807 3be5bc 37800->37807 37802 3be5ad 37801->37802 37801->37807 37809 3b72cd 66 API calls __getptd_noexit 37802->37809 37804 3be5cf HeapAlloc 37806 3be5f6 37804->37806 37804->37807 37805 3be5b2 37805->37781 37806->37781 37807->37804 37807->37806 37810 3b8641 DecodePointer 37807->37810 37809->37805 37810->37807 37811->37788 37813 3bc1a8 EnterCriticalSection 37812->37813 37814 3bc195 37812->37814 37813->37790 37837 3bc0be 66 API calls 9 library calls 37814->37837 37816 3bc19b 37816->37813 37838 3b8406 66 API calls 3 library calls 37816->37838 37839 3bc0a7 LeaveCriticalSection 37819->37839 37821 3b996a 37821->37793 37823 3bdedd InterlockedIncrement 37822->37823 37824 3bdee0 37822->37824 37823->37824 37825 3bdeea InterlockedIncrement 37824->37825 37826 3bdeed 37824->37826 37825->37826 37827 3bdefa 37826->37827 37828 3bdef7 InterlockedIncrement 37826->37828 37829 3bdf04 InterlockedIncrement 37827->37829 37831 3bdf07 37827->37831 37828->37827 37829->37831 37830 3bdf20 InterlockedIncrement 37830->37831 37831->37830 37832 3bdf30 InterlockedIncrement 37831->37832 37833 3bdf3b InterlockedIncrement 37831->37833 37832->37831 37833->37796 37840 3bc0a7 LeaveCriticalSection 37834->37840 37836 3b99b8 37836->37798 37837->37816 37839->37821 37840->37836 37841->37736 37842->37743 37843->37752 37844->37749 37845->37749 37846->37757 37848 3bc3bc EncodePointer 37847->37848 37848->37848 37849 3bc3d6 37848->37849 37849->37761 37860 3b756d 37850->37860 37852 3b75b6 37852->37763 37894 3c0360 37853->37894 37855 3c4298 WSAStartup 37856 3b75a9 __cinit 76 API calls 37855->37856 37857 3c42b3 37856->37857 37858 3b69d5 __setmbcp_nolock 5 API calls 37857->37858 37859 3c42c3 37858->37859 37859->37763 37861 3b7579 ___BuildCatchObject 37860->37861 37868 3b817c 37861->37868 37867 3b759a ___BuildCatchObject 37867->37852 37869 3bc180 __lock 66 API calls 37868->37869 37870 3b757e 37869->37870 37871 3b7486 DecodePointer DecodePointer 37870->37871 37872 3b7535 37871->37872 37873 3b74b4 37871->37873 37884 3b75a3 37872->37884 37873->37872 37887 3ba18d 67 API calls wcstoxl 37873->37887 37875 3b74c6 37876 3b7518 EncodePointer EncodePointer 37875->37876 37877 3b74e1 37875->37877 37878 3b74f0 37875->37878 37876->37872 37888 3ba130 70 API calls __realloc_crt 37877->37888 37878->37872 37880 3b74ea 37878->37880 37880->37878 37882 3b7506 EncodePointer 37880->37882 37889 3ba130 70 API calls __realloc_crt 37880->37889 37882->37876 37883 3b7500 37883->37872 37883->37882 37890 3b8185 37884->37890 37887->37875 37888->37880 37889->37883 37893 3bc0a7 LeaveCriticalSection 37890->37893 37892 3b75a8 37892->37867 37893->37892 37896 3b5e53 _memset 37895->37896 37961 3b6116 CreateThread WaitForSingleObject CloseHandle Sleep 37895->37961 37962 3b5d70 37896->37962 37898 3b5e87 37899 3b5d70 3 API calls 37898->37899 37900 3b5e98 37899->37900 37901 3b5d70 3 API calls 37900->37901 37902 3b5ea9 37901->37902 37903 3b5d70 3 API calls 37902->37903 37904 3b5eba 37903->37904 37905 3b5d70 3 API calls 37904->37905 37906 3b5ece 37905->37906 37907 3b5d70 3 API calls 37906->37907 37908 3b5edf 37907->37908 37909 3b5d70 3 API calls 37908->37909 37910 3b5ef0 37909->37910 37911 3b5d70 3 API calls 37910->37911 37912 3b5f01 37911->37912 37913 3b5d70 3 API calls 37912->37913 37914 3b5f12 37913->37914 37915 3b5d70 3 API calls 37914->37915 37916 3b5f23 37915->37916 37917 3b5d70 3 API calls 37916->37917 37918 3b5f37 37917->37918 37919 3b5d70 3 API calls 37918->37919 37920 3b5f48 37919->37920 37921 3b5d70 3 API calls 37920->37921 37922 3b5f59 37921->37922 37923 3b5d70 3 API calls 37922->37923 37924 3b5f6a 37923->37924 37925 3b5d70 3 API calls 37924->37925 37926 3b5f7b 37925->37926 37927 3b5d70 3 API calls 37926->37927 37928 3b5f8c 37927->37928 37929 3b5d70 3 API calls 37928->37929 37930 3b5fa0 37929->37930 37931 3b5d70 3 API calls 37930->37931 37932 3b5fb1 37931->37932 37933 3b5d70 3 API calls 37932->37933 37934 3b5fc2 37933->37934 37935 3b5d70 3 API calls 37934->37935 37936 3b5fd3 37935->37936 37937 3b5d70 3 API calls 37936->37937 37938 3b5fe4 37937->37938 37939 3b5d70 3 API calls 37938->37939 37940 3b5ff5 RegOpenKeyExW 37939->37940 37941 3b602b RegQueryValueExW 37940->37941 37942 3b6042 _memset 37940->37942 37941->37942 37943 3b605d RegQueryValueExW 37942->37943 37942->37961 37944 3b5d70 3 API calls 37943->37944 37945 3b608b 37944->37945 37946 3b5d70 3 API calls 37945->37946 37947 3b609c 37946->37947 37948 3b5d70 3 API calls 37947->37948 37949 3b60ad 37948->37949 37950 3b5d70 3 API calls 37949->37950 37951 3b60be 37950->37951 37952 3b5d70 3 API calls 37951->37952 37953 3b60cf 37952->37953 37954 3b5d70 3 API calls 37953->37954 37955 3b60e0 37954->37955 37956 3b5d70 3 API calls 37955->37956 37957 3b60f4 37956->37957 37958 3b5d70 3 API calls 37957->37958 37959 3b6105 37958->37959 37960 3b5d70 3 API calls 37959->37960 37960->37961 37961->37687 37967 3b6120 37961->37967 37963 3b5d9a lstrlenW lstrlenW 37962->37963 37964 3b5d87 lstrlenW 37962->37964 37966 3b5db3 37963->37966 37965 3b5d97 _memset 37964->37965 37965->37963 37966->37898 37987 3b7734 37967->37987 37972 3b617b 37974 3b70d7 77 API calls 37972->37974 37975 3b618d 37974->37975 37977 3b61a0 37975->37977 38003 3b5a30 CreateEventW 37975->38003 37978 3b7734 67 API calls 37977->37978 37981 3b7228 66 API calls __NMSG_WRITE 37977->37981 37982 3b6308 CreateEventA 37977->37982 38028 3b2d80 ResetEvent InterlockedExchange timeGetTime socket 37977->38028 37979 3b62b7 Sleep 37978->37979 37980 3b7734 67 API calls 37979->37980 37980->37977 37981->37977 38049 3b3140 GetCurrentThreadId 37982->38049 37988 3b771e 37987->37988 38065 3baf52 37988->38065 37991 3b70d7 37994 3b70e1 37991->37994 37993 3b616d 37993->37972 38064 3b2c60 8 API calls __setmbcp_nolock 37993->38064 37994->37993 37999 3b70fd std::exception::exception 37994->37999 38083 3b7043 37994->38083 38100 3b8641 DecodePointer 37994->38100 37996 3b713b 38101 3b6fe4 66 API calls std::exception::operator= 37996->38101 37998 3b7145 38102 3b790d RaiseException 37998->38102 37999->37996 38001 3b75a9 __cinit 76 API calls 37999->38001 38001->37996 38002 3b7156 38004 3b5a89 38003->38004 38005 3b5a93 38003->38005 38117 3b1280 DeleteCriticalSection RaiseException __CxxThrowException@8 38004->38117 38111 3b65d0 HeapCreate 38005->38111 38009 3b5b2c CreateEventW 38012 3b5b6f CreateEventW 38009->38012 38013 3b5b65 38009->38013 38010 3b5b22 38118 3b1280 DeleteCriticalSection RaiseException __CxxThrowException@8 38010->38118 38015 3b5b8a 38012->38015 38016 3b5b94 CreateEventW 38012->38016 38119 3b1280 DeleteCriticalSection RaiseException __CxxThrowException@8 38013->38119 38120 3b1280 DeleteCriticalSection RaiseException __CxxThrowException@8 38015->38120 38018 3b5bb9 InitializeCriticalSectionAndSpinCount 38016->38018 38019 3b5baf 38016->38019 38020 3b5c7d 38018->38020 38021 3b5c87 InitializeCriticalSectionAndSpinCount 38018->38021 38121 3b1280 DeleteCriticalSection RaiseException __CxxThrowException@8 38019->38121 38122 3b1280 DeleteCriticalSection RaiseException __CxxThrowException@8 38020->38122 38024 3b5ca8 InterlockedExchange timeGetTime CreateEventW CreateEventW 38021->38024 38025 3b5c9e 38021->38025 38027 3b5d3b 38024->38027 38123 3b1280 DeleteCriticalSection RaiseException __CxxThrowException@8 38025->38123 38027->37977 38029 3b2de8 38028->38029 38030 3b2dfc lstrlenW WideCharToMultiByte 38028->38030 38127 3b69d5 5 API calls __call_reportfault 38029->38127 38126 3b69bf 38030->38126 38033 3b2df6 38033->37977 38034 3b2e22 lstrlenW WideCharToMultiByte gethostbyname 38035 3b2e59 ctype 38034->38035 38036 3b2e60 htons connect 38035->38036 38037 3b2e96 38035->38037 38036->38037 38038 3b2eab setsockopt setsockopt setsockopt setsockopt 38036->38038 38039 3b69d5 __setmbcp_nolock 5 API calls 38037->38039 38041 3b2f52 InterlockedExchange 38038->38041 38042 3b2f24 WSAIoctl 38038->38042 38040 3b2ea5 38039->38040 38040->37977 38043 3b73db 743 API calls 38041->38043 38042->38041 38044 3b2f79 38043->38044 38045 3b73db 743 API calls 38044->38045 38046 3b2f91 38045->38046 38047 3b69d5 __setmbcp_nolock 5 API calls 38046->38047 38048 3b2fa6 38047->38048 38048->37977 38050 3b3158 38049->38050 38051 3b316e 38049->38051 38052 3b3160 InterlockedExchange 38050->38052 38128 3b1100 38051->38128 38052->38051 38052->38052 38054 3b318f 38055 3b1100 70 API calls 38054->38055 38056 3b31b6 38055->38056 38136 3b1060 38056->38136 38058 3b31e5 38140 3b3240 38058->38140 38062 3b320f GetCurrentThreadId 38063 3b321f WaitForSingleObject CloseHandle CloseHandle 38062->38063 38063->37977 38064->37972 38068 3bad90 38065->38068 38072 3bada2 38068->38072 38069 3bada8 38079 3b72cd 66 API calls __getptd_noexit 38069->38079 38071 3badd1 38076 3baded wcstoxl 38071->38076 38081 3be884 GetStringTypeW 38071->38081 38072->38069 38072->38071 38073 3badad 38080 3b87f3 11 API calls wcstoxl 38073->38080 38078 3b6152 Sleep 38076->38078 38082 3b72cd 66 API calls __getptd_noexit 38076->38082 38078->37991 38079->38073 38080->38078 38081->38071 38082->38078 38084 3b70c0 38083->38084 38091 3b7051 38083->38091 38109 3b8641 DecodePointer 38084->38109 38086 3b70c6 38110 3b72cd 66 API calls __getptd_noexit 38086->38110 38089 3b707f RtlAllocateHeap 38089->38091 38099 3b70b8 38089->38099 38091->38089 38092 3b705c 38091->38092 38093 3b70ac 38091->38093 38097 3b70aa 38091->38097 38106 3b8641 DecodePointer 38091->38106 38092->38091 38103 3b85f9 66 API calls __NMSG_WRITE 38092->38103 38104 3b844a 66 API calls 6 library calls 38092->38104 38105 3b8164 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 38092->38105 38107 3b72cd 66 API calls __getptd_noexit 38093->38107 38108 3b72cd 66 API calls __getptd_noexit 38097->38108 38099->37994 38100->37994 38101->37998 38102->38002 38103->38092 38104->38092 38106->38091 38107->38097 38108->38099 38109->38086 38110->38099 38112 3b6601 38111->38112 38113 3b65f7 38111->38113 38115 3b5b02 InitializeCriticalSectionAndSpinCount 38112->38115 38125 3b7009 66 API calls 2 library calls 38112->38125 38124 3b1280 DeleteCriticalSection RaiseException __CxxThrowException@8 38113->38124 38115->38009 38115->38010 38117->38005 38118->38009 38119->38012 38120->38016 38121->38018 38122->38021 38123->38024 38124->38112 38125->38115 38127->38033 38129 3b110b 38128->38129 38130 3b1111 38128->38130 38129->38054 38155 3b6d60 38130->38155 38132 3b1134 VirtualAlloc 38133 3b116f 38132->38133 38134 3b118a VirtualFree 38133->38134 38135 3b1198 38133->38135 38134->38135 38135->38054 38137 3b1071 38136->38137 38138 3b1100 70 API calls 38137->38138 38139 3b1081 38138->38139 38139->38058 38144 3b325b 38140->38144 38145 3b329d 38140->38145 38141 3b31ff 38146 3b11b0 38141->38146 38142 3b3262 send 38142->38144 38143 3b32a3 send 38143->38141 38143->38145 38144->38141 38144->38142 38144->38145 38145->38141 38145->38143 38147 3b11bd 38146->38147 38148 3b11c6 38147->38148 38149 3b6d60 __floor_pentium4 68 API calls 38147->38149 38148->38062 38150 3b11ee 38149->38150 38151 3b121b VirtualAlloc 38150->38151 38152 3b1214 38150->38152 38153 3b1236 38151->38153 38152->38062 38154 3b1247 VirtualFree 38153->38154 38154->38062 38156 3b6d6d 38155->38156 38159 3b7e4e __ctrlfp __floor_pentium4 38155->38159 38157 3b6d9e 38156->38157 38156->38159 38164 3b6de8 38157->38164 38166 3b7b72 67 API calls wcstoxl 38157->38166 38158 3b7ebc __floor_pentium4 38163 3b7ea9 __ctrlfp 38158->38163 38168 3bbcbc 67 API calls 6 library calls 38158->38168 38159->38158 38161 3b7e99 38159->38161 38159->38163 38167 3bbc67 66 API calls 3 library calls 38161->38167 38163->38132 38164->38132 38166->38164 38167->38163 38168->38163 38169 3b32e0 6 API calls

                        Executed Functions

                        Function 035B5430 Relevance: 93.2, APIs: 40, Strings: 13, Instructions: 440stringnetworklibraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 35b5430-35b54b7 call 35bf707 call 35c6770 * 3 gethostname gethostbyname 9 35b54bd-35b5504 inet_ntoa call 35c03cf * 2 0->9 10 35b555c-35b569d MultiByteToWideChar * 2 GetLastInputInfo GetTickCount wsprintfW MultiByteToWideChar * 2 call 35b7490 GetSystemInfo wsprintfW call 35b6c50 call 35b6ee0 GetForegroundWindow 0->10 9->10 20 35b5506-35b5508 9->20 23 35b569f-35b56ac GetWindowTextW 10->23 24 35b56b2-35b56c0 10->24 22 35b5510-35b555a inet_ntoa call 35c03cf * 2 20->22 22->10 23->24 26 35b56cc-35b56f0 lstrlenW call 35b6d70 24->26 27 35b56c2 24->27 33 35b5702-35b5726 call 35bf876 26->33 34 35b56f2-35b56ff call 35bf876 26->34 27->26 39 35b5728 33->39 40 35b5732-35b5756 lstrlenW call 35b6d70 33->40 34->33 39->40 43 35b5768-35b57b9 GetModuleHandleW GetProcAddress 40->43 44 35b5758-35b5765 call 35bf876 40->44 46 35b57bb-35b57c4 GetNativeSystemInfo 43->46 47 35b57c6-35b57cd GetSystemInfo 43->47 44->43 49 35b57d3-35b57e1 46->49 47->49 50 35b57ed-35b57f2 49->50 51 35b57e3-35b57eb 49->51 53 35b57f9-35b5820 wsprintfW call 35b6a70 GetCurrentProcessId 50->53 51->50 52 35b57f4 51->52 52->53 56 35b5822-35b583c OpenProcess 53->56 57 35b5885-35b588c call 35b6690 53->57 56->57 58 35b583e-35b5853 K32GetProcessImageFileNameW 56->58 65 35b589e-35b58ab 57->65 66 35b588e-35b589c 57->66 60 35b585e-35b5866 call 35b80f0 58->60 61 35b5855-35b585c 58->61 67 35b586b-35b586d 60->67 63 35b587f CloseHandle 61->63 63->57 68 35b58ac-35b59a1 call 35bf876 call 35b6490 call 35b6150 call 35bfc0e GetTickCount call 35c043c call 35c03a8 wsprintfW GetLocaleInfoW GetSystemDirectoryW GetCurrentHwProfileW 65->68 66->68 69 35b5878-35b587e 67->69 70 35b586f-35b5876 67->70 83 35b59ca-35b59e9 68->83 84 35b59a3-35b59c8 68->84 69->63 70->63 85 35b59ea-35b5a14 call 35b5a30 call 35b3160 call 35befff 83->85 84->85 90 35b5a19-35b5a2e call 35bf00a 85->90
                        APIs
                          • Part of subcall function 035BF707: _malloc.LIBCMT ref: 035BF721
                        • _memset.LIBCMT ref: 035B546C
                        • _memset.LIBCMT ref: 035B5485
                        • _memset.LIBCMT ref: 035B5495
                        • gethostname.WS2_32(?,00000032), ref: 035B54A3
                        • gethostbyname.WS2_32(?), ref: 035B54AD
                        • inet_ntoa.WS2_32 ref: 035B54C5
                        • _strcat_s.LIBCMT ref: 035B54D8
                        • _strcat_s.LIBCMT ref: 035B54F1
                        • inet_ntoa.WS2_32 ref: 035B551A
                        • _strcat_s.LIBCMT ref: 035B552D
                        • _strcat_s.LIBCMT ref: 035B5546
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 035B5573
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000002,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 035B5587
                        • GetLastInputInfo.USER32(?), ref: 035B559A
                        • GetTickCount.KERNEL32 ref: 035B55A0
                        • wsprintfW.USER32 ref: 035B55D5
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 035B55E8
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000296,00000000), ref: 035B55FC
                        • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 035B5653
                        • wsprintfW.USER32 ref: 035B566C
                        • GetForegroundWindow.USER32 ref: 035B5695
                        • GetWindowTextW.USER32(00000000,000006CE,000000FA), ref: 035B56AC
                        • lstrlenW.KERNEL32(000008CC), ref: 035B56D3
                        • lstrlenW.KERNEL32(00000994), ref: 035B5739
                        • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 035B57AA
                        • GetProcAddress.KERNEL32(00000000), ref: 035B57B1
                        • GetNativeSystemInfo.KERNEL32(?), ref: 035B57C2
                        • GetSystemInfo.KERNEL32(?), ref: 035B57CD
                        • wsprintfW.USER32 ref: 035B5806
                        • GetCurrentProcessId.KERNEL32 ref: 035B5818
                        • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 035B582E
                        • K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000104), ref: 035B584B
                        • CloseHandle.KERNEL32(035D5164), ref: 035B587F
                        • GetTickCount.KERNEL32 ref: 035B58E9
                        • __time64.LIBCMT ref: 035B58F8
                        • __localtime64.LIBCMT ref: 035B592F
                        • wsprintfW.USER32 ref: 035B5968
                        • GetLocaleInfoW.KERNEL32(00000800,00000002,00000F46,00000040), ref: 035B597D
                        • GetSystemDirectoryW.KERNEL32(00001184,00000032), ref: 035B598C
                        • GetCurrentHwProfileW.ADVAPI32(?), ref: 035B5999
                          • Part of subcall function 035B80F0: GetLogicalDriveStringsW.KERNEL32(000003E8,?,75A773E0,00000AD4,00000000), ref: 035B8132
                          • Part of subcall function 035B80F0: lstrcmpiW.KERNEL32(?,A:\), ref: 035B8166
                          • Part of subcall function 035B80F0: lstrcmpiW.KERNEL32(?,B:\), ref: 035B8176
                          • Part of subcall function 035B80F0: QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 035B81A6
                          • Part of subcall function 035B80F0: lstrlenW.KERNEL32(?), ref: 035B81B7
                          • Part of subcall function 035B80F0: __wcsnicmp.LIBCMT ref: 035B81CE
                          • Part of subcall function 035B80F0: lstrcpyW.KERNEL32(00000AD4,?), ref: 035B8204
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Info$ByteCharMultiSystemWide_strcat_swsprintf$Process_memsetlstrlen$CountCurrentHandleTickWindowinet_ntoalstrcmpi$AddressCloseDeviceDirectoryDriveFileForegroundImageInputLastLocaleLogicalModuleNameNativeOpenProcProfileQueryStringsText__localtime64__time64__wcsnicmp_mallocgethostbynamegethostnamelstrcpy
                        • String ID: %d min$1.0$2025. 1. 4$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$X86$X86 %s$kernel32.dll$x64$x86
                        • API String ID: 1101047656-3846995994
                        • Opcode ID: e7ad95a92b3ce55c5017030fd6e7a1789f94c35356f8cc25fcaecc648ea490b8
                        • Instruction ID: 8d9d5336088d602cf17815137a3d172ffc821e10d27bb25c4bf6fbac9343b462
                        • Opcode Fuzzy Hash: e7ad95a92b3ce55c5017030fd6e7a1789f94c35356f8cc25fcaecc648ea490b8
                        • Instruction Fuzzy Hash: C0F1C6B5A40304AFD724EB64EC45FDA73B8BF84700F048958F61AA71A1FB70A649CF55
                        Function 035BDF10 Relevance: 59.9, APIs: 24, Strings: 10, Instructions: 354sleepregistrysynchronizationCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 94 35bdf10-35bdf72 call 35c0542 Sleep 97 35bdf97-35bdf9d 94->97 98 35bdf74-35bdf91 call 35bf707 call 35bfa29 CloseHandle 94->98 100 35bdf9f call 35b7620 97->100 101 35bdfa4-35be019 GetLocalTime wsprintfW SetUnhandledExceptionFilter call 35bfa29 CloseHandle call 35bf707 97->101 98->97 100->101 110 35be01b-35be026 call 35b2c90 101->110 111 35be028 101->111 113 35be02c-35be046 call 35bf707 110->113 111->113 117 35be048-35be049 call 35b9730 113->117 118 35be054 113->118 121 35be04e-35be052 117->121 120 35be058 118->120 122 35be063-35be06f call 35bce00 120->122 121->120 125 35be0b9-35be0fa call 35bf876 * 2 122->125 126 35be071-35be0b7 call 35bf876 * 2 122->126 135 35be100-35be110 125->135 126->135 136 35be152-35be15a 135->136 137 35be112-35be14c call 35bce00 call 35bf876 * 2 135->137 138 35be15c-35be15e 136->138 139 35be162-35be169 136->139 137->136 138->139 141 35be16b-35be175 139->141 142 35be177-35be17b 139->142 144 35be181-35be187 141->144 142->144 146 35be189-35be1a3 EnumWindows 144->146 147 35be1c6-35be1ee call 35c0542 call 35b2da0 144->147 146->147 150 35be1a5-35be1c4 Sleep EnumWindows 146->150 155 35be200-35be2ac call 35c0542 CreateEventA call 35bf876 call 35bca70 147->155 156 35be1f0-35be1fb Sleep 147->156 150->147 150->150 164 35be2b7-35be2bd 155->164 156->122 165 35be318-35be32c call 35b5430 164->165 166 35be2bf-35be2f3 Sleep RegOpenKeyExW 164->166 170 35be331-35be337 165->170 167 35be311-35be316 166->167 168 35be2f5-35be30b RegQueryValueExW 166->168 167->164 167->165 168->167 171 35be36a-35be370 170->171 172 35be339-35be365 CloseHandle 170->172 173 35be372-35be38e call 35bfa29 171->173 174 35be390 171->174 172->122 177 35be394 173->177 174->177 179 35be396-35be39d 177->179 180 35be39f-35be3ae Sleep 179->180 181 35be40d-35be420 179->181 180->179 182 35be3b0-35be3b7 180->182 185 35be432-35be46c call 35c0542 Sleep CloseHandle 181->185 186 35be422-35be42c WaitForSingleObject CloseHandle 181->186 182->181 184 35be3b9-35be3cb 182->184 189 35be3dd-35be408 Sleep CloseHandle 184->189 190 35be3cd-35be3d7 WaitForSingleObject CloseHandle 184->190 185->122 186->185 189->122 190->189
                        APIs
                          • Part of subcall function 035C0542: __fassign.LIBCMT ref: 035C0538
                        • Sleep.KERNEL32(00000000), ref: 035BDF64
                        • CloseHandle.KERNEL32(00000000), ref: 035BDF91
                        • GetLocalTime.KERNEL32(?), ref: 035BDFA9
                        • wsprintfW.USER32 ref: 035BDFE0
                        • SetUnhandledExceptionFilter.KERNEL32(035B75B0), ref: 035BDFEE
                        • CloseHandle.KERNEL32(00000000), ref: 035BE007
                          • Part of subcall function 035BF707: _malloc.LIBCMT ref: 035BF721
                        • EnumWindows.USER32(035B5CC0,?), ref: 035BE19D
                        • Sleep.KERNEL32(00004E20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 035BE1AA
                        • EnumWindows.USER32(035B5CC0,?), ref: 035BE1BE
                        • Sleep.KERNEL32(00000BB8), ref: 035BE1F5
                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 035BE241
                        • Sleep.KERNEL32(00000FA0), ref: 035BE2C4
                        • RegOpenKeyExW.KERNEL32(80000001,Console,00000000,00020019,?), ref: 035BE2EB
                        • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 035BE30B
                        • CloseHandle.KERNEL32(?), ref: 035BE35D
                        • Sleep.KERNEL32(000003E8,?,?), ref: 035BE3A4
                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 035BE3D0
                        • CloseHandle.KERNEL32(?,?,?), ref: 035BE3D7
                        • Sleep.KERNEL32(000003E8,?,?), ref: 035BE3E2
                        • CloseHandle.KERNEL32(?), ref: 035BE400
                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 035BE425
                        • CloseHandle.KERNEL32(?,?,?), ref: 035BE42C
                        • Sleep.KERNEL32(00000000,?,?,?), ref: 035BE446
                        • CloseHandle.KERNEL32(?), ref: 035BE464
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseHandleSleep$EnumObjectSingleWaitWindows$CreateEventExceptionFilterLocalOpenQueryTimeUnhandledValue__fassign_mallocwsprintf
                        • String ID: %4d.%2d.%2d-%2d:%2d:%2d$127.0.0.1$45.207.211.42$45.207.211.42$45.207.211.42$6666$6666$6666$Console$IpDatespecial
                        • API String ID: 1511462596-582182224
                        • Opcode ID: 375cb3bff80c91673cebd7e6df3103a048da4e38e7aab612a478b4ef726ebfd9
                        • Instruction ID: e66cfdeca4cbaea37c044a9fe87ad2538f208fa74be7d333829b3e74804f78b0
                        • Opcode Fuzzy Hash: 375cb3bff80c91673cebd7e6df3103a048da4e38e7aab612a478b4ef726ebfd9
                        • Instruction Fuzzy Hash: EFD1CDB0645341AFD324EF65FC86EAEB7B8BBC4700F040A18F5559B2B0DB70951ADB62
                        Function 035BBC70 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 351windowCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetDesktopWindow.USER32 ref: 035BBC8F
                        • GetDC.USER32(00000000), ref: 035BBC9C
                        • CreateCompatibleDC.GDI32(00000000), ref: 035BBCA2
                        • GetDC.USER32(00000000), ref: 035BBCAD
                        • GetDeviceCaps.GDI32(00000000,00000008), ref: 035BBCBA
                        • GetDeviceCaps.GDI32(00000000,00000076), ref: 035BBCC2
                        • ReleaseDC.USER32(00000000,00000000), ref: 035BBCD3
                        • GetSystemMetrics.USER32(0000004E), ref: 035BBCF8
                        • GetSystemMetrics.USER32(0000004F), ref: 035BBD26
                        • GetSystemMetrics.USER32(0000004C), ref: 035BBD78
                        • GetSystemMetrics.USER32(0000004D), ref: 035BBD8D
                        • CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 035BBDA6
                        • SelectObject.GDI32(?,00000000), ref: 035BBDB4
                        • SetStretchBltMode.GDI32(?,00000003), ref: 035BBDC0
                        • GetSystemMetrics.USER32(0000004F), ref: 035BBDCD
                        • GetSystemMetrics.USER32(0000004E), ref: 035BBDE0
                        • StretchBlt.GDI32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,00000000), ref: 035BBE07
                        • _memset.LIBCMT ref: 035BBE7A
                        • GetDIBits.GDI32(?,?,00000000,00000000,?,00000028,00000000), ref: 035BBE97
                        • _memset.LIBCMT ref: 035BBEAF
                          • Part of subcall function 035BF707: _malloc.LIBCMT ref: 035BF721
                        • DeleteObject.GDI32(?), ref: 035BBF23
                        • DeleteObject.GDI32(?), ref: 035BBF2D
                        • ReleaseDC.USER32(00000000,?), ref: 035BBF39
                        • DeleteObject.GDI32(?), ref: 035BBFDF
                        • DeleteObject.GDI32(?), ref: 035BBFE9
                        • ReleaseDC.USER32(00000000,?), ref: 035BBFF5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch_memset$BitmapBitsDesktopModeSelectWindow_malloc
                        • String ID: ($6$gfff$gfff
                        • API String ID: 3293817703-713438465
                        • Opcode ID: 597ec3496ce815cdceae70a37566961f59bc9beca4604c47f635dc73ceb62928
                        • Instruction ID: 1d10886651113733d96e374f157b6b15bda61b18f7fa85bb87b24e05a59c9a95
                        • Opcode Fuzzy Hash: 597ec3496ce815cdceae70a37566961f59bc9beca4604c47f635dc73ceb62928
                        • Instruction Fuzzy Hash: 41D16CB1D01308AFDB24EFE9EC85A9EBBB9FF48300F144529F505AB260D774A945CB91
                        Function 035B6A70 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 141memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetCurrentProcessId.KERNEL32(75A773E0), ref: 035B6A94
                        • wsprintfW.USER32 ref: 035B6AA7
                          • Part of subcall function 035B6910: GetCurrentProcessId.KERNEL32(F17FF389,00000000,00000000,75A773E0,?,00000000,035D10DB,000000FF,?,035B6AB3,00000000), ref: 035B6938
                          • Part of subcall function 035B6910: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,035D10DB,000000FF,?,035B6AB3,00000000), ref: 035B6947
                          • Part of subcall function 035B6910: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,035D10DB,000000FF,?,035B6AB3,00000000), ref: 035B6960
                          • Part of subcall function 035B6910: CloseHandle.KERNEL32(00000000,?,00000000,035D10DB,000000FF,?,035B6AB3,00000000), ref: 035B696B
                        • _memset.LIBCMT ref: 035B6AC2
                        • GetVersionExW.KERNEL32(?), ref: 035B6ADB
                        • GetCurrentProcess.KERNEL32(00000008,?), ref: 035B6B12
                        • OpenProcessToken.ADVAPI32(00000000), ref: 035B6B19
                        • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 035B6B3F
                        • GetLastError.KERNEL32 ref: 035B6B49
                        • LocalAlloc.KERNEL32(00000040,?), ref: 035B6B5D
                        • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 035B6B85
                        • GetSidSubAuthorityCount.ADVAPI32 ref: 035B6B98
                        • GetSidSubAuthority.ADVAPI32(00000000), ref: 035B6BA6
                        • LocalFree.KERNEL32(?), ref: 035B6BB5
                        • CloseHandle.KERNEL32(?), ref: 035B6BC2
                        • wsprintfW.USER32 ref: 035B6C1B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion_memset
                        • String ID: -N/$NO/$None/%s
                        • API String ID: 3036438616-3095023699
                        • Opcode ID: c4b4f7091857fa2ed5b6a2177ab1413f8e9d6c5d0bb33a9e87d568ac6054592e
                        • Instruction ID: 9a4d40a4a564e40949191292bb1acb236a124e37a4fd8ff29f9c7dfb4908471d
                        • Opcode Fuzzy Hash: c4b4f7091857fa2ed5b6a2177ab1413f8e9d6c5d0bb33a9e87d568ac6054592e
                        • Instruction Fuzzy Hash: 2A41D571901218AFDB30DB60ED88FEE7778FB09300F084899F60596161EA34D995CFA1
                        Function 035B6150 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 222stringcomregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 672 35b6150-35b61a5 call 35c6770 call 35c004b 677 35b6201-35b6228 CoCreateInstance 672->677 678 35b61a7-35b61ae 672->678 680 35b622e-35b6282 677->680 681 35b6422-35b642f lstrlenW 677->681 679 35b61b0-35b61b2 call 35b6050 678->679 685 35b61b7-35b61b9 679->685 692 35b640a-35b6418 680->692 693 35b6288-35b62a2 680->693 683 35b6441-35b6450 681->683 684 35b6431-35b643b lstrcatW 681->684 686 35b645a-35b647a call 35bf00a 683->686 687 35b6452-35b6457 683->687 684->683 689 35b61db-35b61ff call 35c004b 685->689 690 35b61bb-35b61d9 lstrcatW * 2 685->690 687->686 689->677 689->679 690->689 692->681 694 35b641a-35b641f 692->694 693->692 699 35b62a8-35b62b4 693->699 694->681 700 35b62c0-35b6363 call 35c6770 wsprintfW RegOpenKeyExW 699->700 703 35b63e9-35b63ff 700->703 704 35b6369-35b63ba call 35c6770 RegQueryValueExW 700->704 707 35b6402-35b6404 703->707 708 35b63dc-35b63e3 RegCloseKey 704->708 709 35b63bc-35b63da lstrcatW * 2 704->709 707->692 707->700 708->703 709->708
                        APIs
                        • _memset.LIBCMT ref: 035B618B
                        • lstrcatW.KERNEL32(035E1F10,035D510C,?,F17FF389,00000AD4,00000000,75A773E0), ref: 035B61CD
                        • lstrcatW.KERNEL32(035E1F10,035D535C,?,F17FF389,00000AD4,00000000,75A773E0), ref: 035B61D9
                        • CoCreateInstance.OLE32(035D2480,00000000,00000017,035D578C,?,?,F17FF389,00000AD4,00000000,75A773E0), ref: 035B6220
                        • _memset.LIBCMT ref: 035B62CE
                        • wsprintfW.USER32 ref: 035B6336
                        • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 035B635F
                        • _memset.LIBCMT ref: 035B6376
                          • Part of subcall function 035B6050: _memset.LIBCMT ref: 035B607C
                          • Part of subcall function 035B6050: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 035B6088
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: _memset$Createlstrcat$InstanceOpenSnapshotToolhelp32wsprintf
                        • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                        • API String ID: 1221949200-1583895642
                        • Opcode ID: faf740e66475e60709815fe604f35da19fb279f6260e80b7d110ce5c6f79b8fc
                        • Instruction ID: 1e04b2c5b103a292d6de61887fef3d03adcdcc85d001a2f8eaf947d48cd9bbbc
                        • Opcode Fuzzy Hash: faf740e66475e60709815fe604f35da19fb279f6260e80b7d110ce5c6f79b8fc
                        • Instruction Fuzzy Hash: E68185B1A00228AFDB34DB94DC81FEEB7B8FB48704F044588F619A7162D7749A45CFA5
                        Function 035B80F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114stringCOMMON
                        Download Yara Rule
                        APIs
                        • GetLogicalDriveStringsW.KERNEL32(000003E8,?,75A773E0,00000AD4,00000000), ref: 035B8132
                        • lstrcmpiW.KERNEL32(?,A:\), ref: 035B8166
                        • lstrcmpiW.KERNEL32(?,B:\), ref: 035B8176
                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 035B81A6
                        • lstrlenW.KERNEL32(?), ref: 035B81B7
                        • __wcsnicmp.LIBCMT ref: 035B81CE
                        • lstrcpyW.KERNEL32(00000AD4,?), ref: 035B8204
                        • lstrcpyW.KERNEL32(?,?), ref: 035B8228
                        • lstrcatW.KERNEL32(?,00000000), ref: 035B8233
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStrings__wcsnicmplstrcatlstrlen
                        • String ID: A:\$B:\
                        • API String ID: 950920757-1009255891
                        • Opcode ID: fb89be1b2037e70bce1e510d01d0769bbb52d4c25a5f4b63ee72fd2bf2f6b578
                        • Instruction ID: 69931a9833f390fa937c38db1838bd322a598c3e22d4f8a85581cf536cd2b9b5
                        • Opcode Fuzzy Hash: fb89be1b2037e70bce1e510d01d0769bbb52d4c25a5f4b63ee72fd2bf2f6b578
                        • Instruction Fuzzy Hash: 23419771A022599BDB20DFA4ED84BEEF37CFF84710F044599EA0AA7150E770DA45CB94
                        Function 035B6C50 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 99COMMON
                        Download Yara Rule
                        APIs
                        • GetDriveTypeW.KERNEL32(?,7591DF80,00000000,75A773E0), ref: 035B6C8B
                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 035B6CAA
                        • _memset.LIBCMT ref: 035B6CE1
                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 035B6CF4
                        • swprintf.LIBCMT ref: 035B6D39
                        • swprintf.LIBCMT ref: 035B6D4C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: swprintf$DiskDriveFreeGlobalMemorySpaceStatusType_memset
                        • String ID: %sFree%d Gb $:$@$HDD:%d
                        • API String ID: 3202570353-3501811827
                        • Opcode ID: badbf83a4006b5b4092aa8f42d2fc571313b8964196c3bd68d856ff72648b394
                        • Instruction ID: e04941c5c387bc44f04ef93d272790b6ba9b9357306ef96f5536b0236c7279b5
                        • Opcode Fuzzy Hash: badbf83a4006b5b4092aa8f42d2fc571313b8964196c3bd68d856ff72648b394
                        • Instruction Fuzzy Hash: E9315EB6E0020C9BDB14DFE9DC45FEEB7B9FB88700F50821DE91AAB251E6745905CB90
                        Function 035B6EE0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 410COMMON
                        Download Yara Rule
                        APIs
                        • CreateDXGIFactory.DXGI(035D579C,?,F17FF389,7591DF80,00000000,75A773E0), ref: 035B6F4A
                        • swprintf.LIBCMT ref: 035B711E
                        • std::_Xinvalid_argument.LIBCPMT ref: 035B71C7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateFactoryXinvalid_argumentstd::_swprintf
                        • String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
                        • API String ID: 3803070356-257307503
                        • Opcode ID: 5f7aef556aaceb4bfa3dc975b8ea6ee223e6edf7af153163df2a87aa6549baa5
                        • Instruction ID: da52c5c613bb85e69e575a210cca063493bfa1614c868482dd63906053e0ea0b
                        • Opcode Fuzzy Hash: 5f7aef556aaceb4bfa3dc975b8ea6ee223e6edf7af153163df2a87aa6549baa5
                        • Instruction Fuzzy Hash: 7BE15571E012699FDF24CE68DC80BEEB375BF89700F1445E9D95AA7294D730AE818F90
                        Function 003B6530 Relevance: 15.0, APIs: 10, Instructions: 32threadsleepsynchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(Function_00006510), ref: 003B6535
                        • GetConsoleWindow.KERNEL32(00000000), ref: 003B653D
                        • ShowWindow.USER32(00000000), ref: 003B6544
                        • GetCurrentThreadId.KERNEL32 ref: 003B6550
                        • PostThreadMessageA.USER32(00000000), ref: 003B6557
                        • GetInputState.USER32 ref: 003B655D
                          • Part of subcall function 003B5E40: _memset.LIBCMT ref: 003B5E71
                        • CreateThread.KERNEL32(00000000,00000000,Function_00006120,00000000,00000000,00000000), ref: 003B6577
                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 003B6585
                        • CloseHandle.KERNEL32(?), ref: 003B6591
                        • Sleep.KERNEL32(0000012C), ref: 003B659C
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: Thread$Window$CloseConsoleCreateCurrentExceptionFilterHandleInputMessageObjectPostShowSingleSleepStateUnhandledWait_memset
                        • String ID:
                        • API String ID: 1910205397-0
                        • Opcode ID: 10b938f7ce63c1f34b294b40c50bda364b380a06fafb19d9394e1db9bd94fe5c
                        • Instruction ID: 03304ced73c57dde6dea8f795181a1f20cec26d991b0dd107e00d7bda2c2889c
                        • Opcode Fuzzy Hash: 10b938f7ce63c1f34b294b40c50bda364b380a06fafb19d9394e1db9bd94fe5c
                        • Instruction Fuzzy Hash: 13F074B1685B10ABEB132BB4AC0EF8D3A6CBB18B03F500510F316D94E0CAB470808B65
                        Function 035B7410 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,035B7523), ref: 035B743D
                        • GetProcAddress.KERNEL32(00000000), ref: 035B7444
                        • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,035B7523), ref: 035B7452
                        • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,035B7523), ref: 035B745A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: InfoSystem$AddressHandleModuleNativeProc
                        • String ID: GetNativeSystemInfo$kernel32.dll
                        • API String ID: 3433367815-192647395
                        • Opcode ID: c32ddfc998814eca9d5afa14671b9e7a345dd83bdbaf6ce4464e15d605dc0e17
                        • Instruction ID: ad6dc24d28e957a323061479ce90541d4a216f695e2a6f2de565bd05160c0dcc
                        • Opcode Fuzzy Hash: c32ddfc998814eca9d5afa14671b9e7a345dd83bdbaf6ce4464e15d605dc0e17
                        • Instruction Fuzzy Hash: 280178B0D012089FCB60EFF8A900AEEBBF4FB4C201F4049A9D949E3210E7358A10CB61
                        Function 035B6050 Relevance: 9.1, APIs: 6, Instructions: 86processCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 035B607C
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 035B6088
                        • Process32FirstW.KERNEL32(00000000,00000000), ref: 035B60B9
                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 035B610F
                        • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 035B6116
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
                        • String ID:
                        • API String ID: 2526126748-0
                        • Opcode ID: e9de5b7d0785b8f92110205df71b91df7655e9c30cd4dd17b2940f7edd7aab7a
                        • Instruction ID: cd6da6808b25b184654d73e95feccb7f37cdc1348c0469ac0018fc20840cb420
                        • Opcode Fuzzy Hash: e9de5b7d0785b8f92110205df71b91df7655e9c30cd4dd17b2940f7edd7aab7a
                        • Instruction Fuzzy Hash: A421A33161111DABDB20EFB4EC59BEEB3B9FF18310F0446A9DC0A961A0EB319B15D650
                        Function 003B3340 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: Time_memmovetime
                        • String ID:
                        • API String ID: 1463837790-0
                        • Opcode ID: aac301ae5065d9ca76d524e1903a427e31d345fae72a395e13f6ce58d47135d4
                        • Instruction ID: 0945336edfea0045c7439430472a1639a4993a4c1e356cb8ae30025a64bab09d
                        • Opcode Fuzzy Hash: aac301ae5065d9ca76d524e1903a427e31d345fae72a395e13f6ce58d47135d4
                        • Instruction Fuzzy Hash: 2851BE72700211AFD712CF6AC8C0AABB7A9BF44318715866CEA198BF01DB31FD518B90
                        Function 003B5E40 Relevance: 52.7, APIs: 5, Strings: 25, Instructions: 186registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • _memset.LIBCMT ref: 003B5E71
                          • Part of subcall function 003B5D70: lstrlenW.KERNEL32(?), ref: 003B5D88
                          • Part of subcall function 003B5D70: _memset.LIBCMT ref: 003B5D92
                          • Part of subcall function 003B5D70: lstrlenW.KERNEL32(|p1:45.207.211.42|o1:6666|t1:1|p2:45.207.211.42|o2:6666|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:), ref: 003B5D9F
                          • Part of subcall function 003B5D70: lstrlenW.KERNEL32(?), ref: 003B5DA7
                        • RegOpenKeyExW.KERNEL32(80000001,Console,00000000,00020019,?), ref: 003B601B
                        • RegQueryValueExW.KERNEL32(?,IpDate,00000000,00000003,00000000,00000000), ref: 003B6040
                        • _memset.LIBCMT ref: 003B6058
                        • RegQueryValueExW.ADVAPI32(?,IpDate,00000000,00000003,|p1:45.207.211.42|o1:6666|t1:1|p2:45.207.211.42|o2:6666|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:,0000000A), ref: 003B6078
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: _memsetlstrlen$QueryValue$Open
                        • String ID: Console$IpDate$bb:$bd:$bh:$bz:$cl:$dd:$dl:$fz:$jp:$kl:$ll:$o1:$o2:$o3:$p1:$p2:$p3:$sh:$sx:$t1:$t2:$t3:$|p1:45.207.211.42|o1:6666|t1:1|p2:45.207.211.42|o2:6666|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:
                        • API String ID: 3278200350-3632667583
                        • Opcode ID: 8861dc29a7037303f7581db638ea9596ae08442ad4849bfc3b6d07bdcf6e46e3
                        • Instruction ID: e3b66a1f600e264a1f74f74cfbcd75bf61520a96963aa034af4a893f6d5caa76
                        • Opcode Fuzzy Hash: 8861dc29a7037303f7581db638ea9596ae08442ad4849bfc3b6d07bdcf6e46e3
                        • Instruction Fuzzy Hash: E751BFB5BD8F0579E523A2A84C0BFC929144B11F08F905A5CFB18FD9C299E43D914F6E
                        Function 003B54D0 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 263registrymemorysleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 345 3b54d0-3b54e6 346 3b581e-3b5823 345->346 347 3b54ec-3b54f1 345->347 348 3b5717-3b576f VirtualAlloc call 3bc8c0 call 3b69bf 347->348 349 3b54f7-3b551f RegOpenKeyExW 347->349 369 3b57ed-3b57fc 348->369 370 3b5771-3b57b1 call 3bc8c0 RegCreateKeyW 348->370 351 3b55ca-3b55cf 349->351 352 3b5525-3b5548 RegQueryValueExW 349->352 354 3b55d2-3b55d8 351->354 355 3b554a-3b5577 call 3b69bf call 3bc840 RegQueryValueExW 352->355 356 3b55bd-3b55c7 RegCloseKey 352->356 359 3b55da-3b55dd 354->359 360 3b55f8-3b55fa 354->360 379 3b55ba 355->379 380 3b5579-3b55b8 VirtualAlloc call 3bc8c0 355->380 356->351 364 3b55df-3b55e7 359->364 365 3b55f4-3b55f6 359->365 361 3b55fd-3b55ff 360->361 366 3b5708-3b5712 361->366 367 3b5605-3b560c 361->367 364->360 371 3b55e9-3b55f2 364->371 365->361 372 3b57fe-3b581b call 3b73db Sleep call 3b2d10 366->372 373 3b560e-3b561b VirtualFree 367->373 374 3b5621-3b56e4 call 3bc840 * 3 call 3b69bf call 3bc8c0 367->374 369->372 385 3b57da-3b57e5 RegCloseKey call 3b747b 370->385 386 3b57b3-3b57d4 RegDeleteValueW RegSetValueExW 370->386 371->354 371->365 390 3b581d 372->390 373->374 399 3b56f6-3b5705 call 3b69ca 374->399 400 3b56e6-3b56f4 call 3b3140 374->400 379->356 380->379 392 3b57ea 385->392 386->385 390->346 392->369 400->399
                        APIs
                        • RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,00020019,?), ref: 003B5517
                        • RegQueryValueExW.ADVAPI32(?,d33f351a4aeea5e608853d1a56661059,00000000,00000003,00000000,00000003), ref: 003B553E
                        • _memset.LIBCMT ref: 003B5558
                        • RegQueryValueExW.ADVAPI32(?,d33f351a4aeea5e608853d1a56661059,00000000,00000003,00000000,00000003), ref: 003B5573
                        • VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 003B5596
                        • RegCloseKey.ADVAPI32(?), ref: 003B55C1
                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 003B5615
                        • _memset.LIBCMT ref: 003B5679
                        • _memset.LIBCMT ref: 003B569D
                        • _memset.LIBCMT ref: 003B56AF
                        • VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 003B5736
                        • RegCreateKeyW.ADVAPI32(80000001,Console\0,?), ref: 003B57A9
                        • RegDeleteValueW.KERNEL32(?,d33f351a4aeea5e608853d1a56661059), ref: 003B57BC
                        • RegSetValueExW.KERNEL32(?,d33f351a4aeea5e608853d1a56661059,00000000,00000003,00000000,00000065), ref: 003B57D4
                        • RegCloseKey.KERNEL32(?), ref: 003B57DE
                        • Sleep.KERNEL32(00000BB8), ref: 003B580E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: Value_memset$Virtual$AllocCloseQuery$CreateDeleteFreeOpenSleep
                        • String ID: !jWW$.$Console\0$_$d33f351a4aeea5e608853d1a56661059$e$i$l${vU_
                        • API String ID: 354323817-1460061483
                        • Opcode ID: 34a69e197c36d313df86b934c6d8799c0557e2f47856368751f8b8f4043c7ce2
                        • Instruction ID: 11b11fc3a0a43ae4f95806401ded503a5d950277ae066b61a3a49e7b82bd044c
                        • Opcode Fuzzy Hash: 34a69e197c36d313df86b934c6d8799c0557e2f47856368751f8b8f4043c7ce2
                        • Instruction Fuzzy Hash: 0691CD75A00704ABDB22DF60DC85FEA77BDEB85704F004159FA09EB681D7B1AE40CBA0
                        Function 035B9E50 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 314windowCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 405 35b9e50-35b9e85 GdipGetImagePixelFormat 406 35b9e8a-35b9eb1 405->406 407 35b9e87 405->407 408 35b9ec9-35b9ecf 406->408 409 35b9eb3-35b9ec3 406->409 407->406 410 35b9eeb-35b9f04 GdipGetImageHeight 408->410 411 35b9ed1-35b9ee1 408->411 409->408 412 35b9f09-35b9f2c GdipGetImageWidth 410->412 413 35b9f06 410->413 411->410 414 35b9f2e 412->414 415 35b9f31-35b9f4e call 35b9c30 412->415 413->412 414->415 418 35ba055-35ba05a 415->418 419 35b9f54-35b9f68 415->419 420 35ba2a4-35ba2ba call 35bf00a 418->420 421 35ba0cf-35ba0d7 419->421 422 35b9f6e-35b9f87 GdipGetImagePaletteSize 419->422 426 35ba20a-35ba27b GdipCreateBitmapFromScan0 GdipGetImageGraphicsContext GdipDrawImageI GdipDeleteGraphics GdipDisposeImage 421->426 427 35ba0dd-35ba11a GdipBitmapLockBits 421->427 423 35b9f89 422->423 424 35b9f8c-35b9f98 422->424 423->424 429 35b9f9a-35b9fa5 call 35b9650 424->429 430 35b9fb2-35b9fba 424->430 428 35ba281-35ba283 426->428 432 35ba14a-35ba177 427->432 433 35ba11c-35ba121 427->433 434 35ba2a2 428->434 435 35ba285 428->435 429->430 454 35b9fa7-35b9fb0 call 35cc660 429->454 439 35b9fbc-35b9fca call 35bf673 430->439 440 35b9fd0-35b9fd5 call 35b1280 430->440 436 35ba179-35ba18e call 35c07f2 432->436 437 35ba1bf-35ba1de GdipBitmapUnlockBits 432->437 441 35ba123 433->441 442 35ba140-35ba145 433->442 434->420 444 35ba28d-35ba2a0 call 35bf639 435->444 459 35ba200-35ba205 call 35b1280 436->459 460 35ba190-35ba197 436->460 437->428 447 35ba1e4-35ba1e7 437->447 451 35b9fda-35b9fe5 439->451 462 35b9fcc-35b9fce 439->462 440->451 449 35ba12b-35ba13e call 35bf639 441->449 442->420 444->434 467 35ba287 444->467 447->428 449->442 464 35ba125 449->464 457 35b9fe7-35b9fe9 451->457 454->457 465 35b9feb-35b9fed 457->465 466 35ba016-35ba030 GdipGetImagePalette 457->466 459->426 460->459 468 35ba19e-35ba1bd 460->468 469 35ba1ec-35ba1f1 call 35b1280 460->469 470 35ba1f6-35ba1fb call 35b1280 460->470 462->457 464->449 472 35b9fef 465->472 473 35ba00c-35ba011 465->473 474 35ba03b-35ba040 466->474 475 35ba032-35ba038 466->475 467->444 468->436 468->437 469->470 470->459 478 35b9ff7-35ba00a call 35bf639 472->478 473->420 479 35ba04a-35ba050 call 35bcca0 474->479 480 35ba042-35ba048 474->480 475->474 478->473 489 35b9ff1 478->489 479->418 480->479 483 35ba05f-35ba063 480->483 484 35ba0a0-35ba0c9 call 35b9d80 SetDIBColorTable call 35ba320 483->484 485 35ba065 483->485 484->421 487 35ba068-35ba098 485->487 487->487 490 35ba09a 487->490 489->478 490->484
                        APIs
                        • GdipGetImagePixelFormat.GDIPLUS(Function_00009A30,?,?,00000000), ref: 035B9E7B
                        • GdipGetImageHeight.GDIPLUS(Function_00009A30,?,?,00000000), ref: 035B9EFC
                        • GdipGetImageWidth.GDIPLUS(Function_00009A30,?,?,00000000), ref: 035B9F24
                        • GdipGetImagePaletteSize.GDIPLUS(Function_00009A30,?,?,00000000), ref: 035B9F7F
                        • _malloc.LIBCMT ref: 035B9FC0
                          • Part of subcall function 035BF673: __FF_MSGBANNER.LIBCMT ref: 035BF68C
                          • Part of subcall function 035BF673: __NMSG_WRITE.LIBCMT ref: 035BF693
                          • Part of subcall function 035BF673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,035C4500,00000000,00000001,00000000,?,035C8DE6,00000018,035D6448,0000000C,035C8E76), ref: 035BF6B8
                        • _free.LIBCMT ref: 035BA000
                        • GdipGetImagePalette.GDIPLUS(?,00000008,?,?,00000000), ref: 035BA028
                        • SetDIBColorTable.GDI32(?,00000000,?,?,?,00000000), ref: 035BA0B7
                        • GdipBitmapLockBits.GDIPLUS(Function_00009A30,?,00000001,?,?,?,00000000), ref: 035BA112
                        • _free.LIBCMT ref: 035BA134
                        • _memcpy_s.LIBCMT ref: 035BA183
                        • GdipBitmapUnlockBits.GDIPLUS(?,?,?,00000000), ref: 035BA1D0
                        • GdipCreateBitmapFromScan0.GDIPLUS(?,?,035D5A7C,00022009,?,00000000,?,00000000), ref: 035BA22C
                        • GdipGetImageGraphicsContext.GDIPLUS(00000000,00022009,?,00000000), ref: 035BA24C
                        • GdipDrawImageI.GDIPLUS(00000000,Function_00009A30,00000000,00000000,?,00000000), ref: 035BA267
                        • GdipDeleteGraphics.GDIPLUS(?,?,00000000), ref: 035BA274
                        • GdipDisposeImage.GDIPLUS(00000000,?,00000000), ref: 035BA27B
                        • _free.LIBCMT ref: 035BA296
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Gdip$Image$Bitmap_free$BitsGraphicsPalette$AllocateColorContextCreateDeleteDisposeDrawFormatFromHeapHeightLockPixelScan0SizeTableUnlockWidth_malloc_memcpy_s
                        • String ID: &
                        • API String ID: 640422297-3042966939
                        • Opcode ID: 719e0adac70cb2dc0331ead234c3292992eda1101d4dd0f82222efaed6bdf708
                        • Instruction ID: 04113ed2f40270e72a2a98700d1cd2aaf9abba5f759e24ecf2d0117d0c57493b
                        • Opcode Fuzzy Hash: 719e0adac70cb2dc0331ead234c3292992eda1101d4dd0f82222efaed6bdf708
                        • Instruction Fuzzy Hash: C9D151B1A006199BDB24DF55DC80BEAB7B4FF88304F0485ADE70997221D734AA85CFA4
                        Function 035B2DA0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • ResetEvent.KERNEL32(?), ref: 035B2DBB
                        • InterlockedExchange.KERNEL32(?,00000000), ref: 035B2DC7
                        • timeGetTime.WINMM ref: 035B2DCD
                        • socket.WS2_32(00000002,00000001,00000006), ref: 035B2DFA
                        • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 035B2E26
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 035B2E32
                        • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 035B2E51
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 035B2E5D
                        • gethostbyname.WS2_32(00000000), ref: 035B2E6B
                        • htons.WS2_32(?), ref: 035B2E8D
                        • connect.WS2_32(?,?,00000010), ref: 035B2EAB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                        • String ID: 0u
                        • API String ID: 640718063-3203441087
                        • Opcode ID: 2a237550276bddade2c9d436e73d34fc974a1afafe4ed50c84b5face955cab98
                        • Instruction ID: 42c4358e5f5f13ce9fa82832d9cfe6ca3aab87113c3081b4b37c91579724eab7
                        • Opcode Fuzzy Hash: 2a237550276bddade2c9d436e73d34fc974a1afafe4ed50c84b5face955cab98
                        • Instruction Fuzzy Hash: 8C616271A41308AFD720EFA4EC45FAAB7B8FF48B10F104519F655AB2D0D770A9059B64
                        Function 003B2D80 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • ResetEvent.KERNEL32(?), ref: 003B2D9B
                        • InterlockedExchange.KERNEL32(?,00000000), ref: 003B2DA7
                        • timeGetTime.WINMM ref: 003B2DAD
                        • socket.WS2_32(00000002,00000001,00000006), ref: 003B2DDA
                        • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 003B2E06
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 003B2E12
                        • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 003B2E31
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 003B2E3D
                        • gethostbyname.WS2_32(00000000), ref: 003B2E4B
                        • htons.WS2_32(?), ref: 003B2E6D
                        • connect.WS2_32(?,?,00000010), ref: 003B2E8B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                        • String ID: 0u
                        • API String ID: 640718063-3203441087
                        • Opcode ID: e3e06be2da56956dd8bf48b6871cfde8ed6029b366d346b4ec8194b4baf44871
                        • Instruction ID: 776adac9413372e3c716efdb80e0de5deb2e14c13d649dec0f8b2bb7206212d9
                        • Opcode Fuzzy Hash: e3e06be2da56956dd8bf48b6871cfde8ed6029b366d346b4ec8194b4baf44871
                        • Instruction Fuzzy Hash: B0613CB1A40704AFD721DFA4DC46FAAB7B8FF48710F104619F646EB690D6B0B9448B64
                        Function 035BAD10 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 346registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 573 35bad10-35bad2b 574 35bad2d-35bad5b RegOpenKeyExW 573->574 575 35bad84-35bad8f 573->575 576 35bad79-35bad7e 574->576 577 35bad5d-35bad73 RegQueryValueExW 574->577 578 35bb845-35bb84b call 35bce00 575->578 579 35bad95-35bad9c 575->579 576->575 581 35bb84e-35bb854 576->581 577->576 578->581 582 35badea-35badf1 579->582 583 35bafe3-35bb09b call 35bf707 call 35c6770 call 35beff4 call 35c7660 call 35bf707 call 35bcf20 call 35beff4 579->583 582->581 586 35badf7-35bae29 call 35bf707 call 35c6770 582->586 628 35bb162-35bb189 call 35bfa29 CloseHandle 583->628 629 35bb0a1-35bb0ee call 35c7660 RegCreateKeyW 583->629 595 35bae2b-35bae3f wsprintfW 586->595 596 35bae42-35bae4e 586->596 595->596 598 35bae9a-35baef1 call 35beff4 call 35c7660 call 35b2ba0 call 35befff * 2 596->598 599 35bae50 596->599 601 35bae54-35bae5f 599->601 604 35bae60-35bae66 601->604 608 35bae68-35bae6b 604->608 609 35bae86-35bae88 604->609 612 35bae6d-35bae75 608->612 613 35bae82-35bae84 608->613 614 35bae8b-35bae8d 609->614 612->609 618 35bae77-35bae80 612->618 613->614 619 35bae8f-35bae98 614->619 620 35baef4-35baf09 614->620 618->604 618->613 619->598 619->601 623 35baf10-35baf16 620->623 626 35baf18-35baf1b 623->626 627 35baf36-35baf38 623->627 631 35baf1d-35baf25 626->631 632 35baf32-35baf34 626->632 633 35baf3b-35baf3d 627->633 650 35bb14a-35bb15f RegCloseKey call 35bfac9 629->650 651 35bb0f0-35bb13f call 35beff4 call 35b5a30 RegDeleteValueW RegSetValueExW 629->651 631->627 639 35baf27-35baf30 631->639 632->633 634 35baf3f-35baf41 633->634 635 35bafae-35bafe0 call 35bfa29 CloseHandle call 35befff 633->635 641 35baf43-35baf4e call 35befff 634->641 642 35baf55-35baf5c 634->642 639->623 639->632 641->642 648 35baf5e-35baf69 call 35bfac9 642->648 649 35baf70-35baf74 642->649 648->649 656 35baf76-35baf7f call 35befff 649->656 657 35baf85-35bafa9 call 35bf020 649->657 650->628 651->650 669 35bb141-35bb147 call 35bfac9 651->669 656->657 657->598 669->650
                        APIs
                        • RegOpenKeyExW.KERNELBASE(80000001,Console,00000000,00020019,?), ref: 035BAD53
                        • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 035BAD73
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: OpenQueryValue
                        • String ID: %s_bin$Console$Console\0$IpDatespecial
                        • API String ID: 4153817207-1338088003
                        • Opcode ID: 4f1e02503c36da759e5b80ba219bb147627d87974a66c40215883c2ff8a7c715
                        • Instruction ID: 630a01282b0eb3bb0a3d4cd8a77e8813d8798edc99f76bfb7b28c2fde56fe7aa
                        • Opcode Fuzzy Hash: 4f1e02503c36da759e5b80ba219bb147627d87974a66c40215883c2ff8a7c715
                        • Instruction Fuzzy Hash: 4AC1E3B5A003019BE714EF24EC46FABB3B8FF94714F080568F9459B2A1E771E915C7A2
                        Function 035B5F40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 88sleepstringsynchronizationCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • CreateMutexW.KERNEL32(00000000,00000000,2025. 1. 4), ref: 035B5F66
                        • GetLastError.KERNEL32 ref: 035B5F6E
                        • Sleep.KERNEL32(000003E8), ref: 035B5F85
                        • CreateMutexW.KERNEL32(00000000,00000000,2025. 1. 4), ref: 035B5F90
                        • GetLastError.KERNEL32 ref: 035B5F92
                        • _memset.LIBCMT ref: 035B5FB9
                        • lstrlenW.KERNEL32(?), ref: 035B5FC6
                        • lstrcmpW.KERNEL32(?,035D5328), ref: 035B5FED
                        • Sleep.KERNEL32(000003E8), ref: 035B5FF8
                        • GetModuleHandleW.KERNEL32(00000000), ref: 035B6005
                        • GetConsoleWindow.KERNEL32 ref: 035B600F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateErrorLastMutexSleep$ConsoleHandleModuleWindow_memsetlstrcmplstrlen
                        • String ID: 2025. 1. 4$key$open
                        • API String ID: 2922109467-4242771842
                        • Opcode ID: f7300e0805e415f18307381973d1798f0db0c12c63642a7fa12a687ac5aa201e
                        • Instruction ID: d6222d0c1281bc9b6e9138ef117420a488c5f1da84e9c4e6ba63e42c66f1fa94
                        • Opcode Fuzzy Hash: f7300e0805e415f18307381973d1798f0db0c12c63642a7fa12a687ac5aa201e
                        • Instruction Fuzzy Hash: F72196725453099BD624EB64FC46F9EB3B8FB84604F140C19E6049B1F5EB70A51AC7A3
                        Function 035B62B6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 125stringregistryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 731 35b62b6-35b62bd 732 35b62c0-35b6363 call 35c6770 wsprintfW RegOpenKeyExW 731->732 735 35b63e9-35b63ff 732->735 736 35b6369-35b6376 call 35c6770 732->736 739 35b6402-35b6404 735->739 738 35b637b-35b63ba RegQueryValueExW 736->738 740 35b63dc-35b63e3 RegCloseKey 738->740 741 35b63bc-35b63da lstrcatW * 2 738->741 739->732 742 35b640a-35b6418 739->742 740->735 741->740 743 35b641a-35b641f 742->743 744 35b6422-35b642f lstrlenW 742->744 743->744 745 35b6441-35b6450 744->745 746 35b6431-35b643b lstrcatW 744->746 747 35b645a-35b647a call 35bf00a 745->747 748 35b6452-35b6457 745->748 746->745 748->747
                        APIs
                        • _memset.LIBCMT ref: 035B62CE
                        • wsprintfW.USER32 ref: 035B6336
                        • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 035B635F
                        • _memset.LIBCMT ref: 035B6376
                        • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 035B63B2
                        • lstrcatW.KERNEL32(035E1F10,?), ref: 035B63CE
                        • lstrcatW.KERNEL32(035E1F10,035D535C), ref: 035B63DA
                        • RegCloseKey.ADVAPI32(00000000), ref: 035B63E3
                        • lstrlenW.KERNEL32(035E1F10,?,F17FF389,00000AD4,00000000,75A773E0), ref: 035B6427
                        • lstrcatW.KERNEL32(035E1F10,035D53D4,?,F17FF389,00000AD4,00000000,75A773E0), ref: 035B643B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$_memset$CloseOpenQueryValuelstrlenwsprintf
                        • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                        • API String ID: 1671694837-1583895642
                        • Opcode ID: c91302e270162ccea97afbc1d338855c9d029991d5514298e3350d0c2923910d
                        • Instruction ID: 1dc1aa283a4bb7c0c83cc257b112ad5ea04deb46817033dcec922be291d518c4
                        • Opcode Fuzzy Hash: c91302e270162ccea97afbc1d338855c9d029991d5514298e3350d0c2923910d
                        • Instruction Fuzzy Hash: F241A1B1A002686EDB34DB94DC90FEEB7B8BB48605F0445C8F319A71A2D6749B85CF64
                        Function 035B7490 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 99registrylibraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • LoadLibraryW.KERNEL32(ntdll.dll,75A773E0,?,?,?,035B5611,0000035E,000002FA), ref: 035B749C
                        • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 035B74B2
                        • swprintf.LIBCMT ref: 035B74EF
                          • Part of subcall function 035B7410: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,035B7523), ref: 035B743D
                          • Part of subcall function 035B7410: GetProcAddress.KERNEL32(00000000), ref: 035B7444
                          • Part of subcall function 035B7410: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,035B7523), ref: 035B7452
                        • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,000002FA), ref: 035B7547
                        • RegQueryValueExW.KERNEL32(000002FA,ProductName,00000000,00000001,00000000,?), ref: 035B7563
                        • RegCloseKey.KERNEL32(000002FA), ref: 035B7586
                        • FreeLibrary.KERNEL32(00000000,?,?,?,035B5611,0000035E,000002FA), ref: 035B7598
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValueswprintf
                        • String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
                        • API String ID: 2158625971-3190923360
                        • Opcode ID: 08cfe0be227ba9bdfdefd2cfd5a1dee71265c54586294867e4b34874acfcd44a
                        • Instruction ID: 65c879a54fb96958e0ae8a67a02bad4fa8995e35e9a0d23d22af7f6e1e221231
                        • Opcode Fuzzy Hash: 08cfe0be227ba9bdfdefd2cfd5a1dee71265c54586294867e4b34874acfcd44a
                        • Instruction Fuzzy Hash: 3C319375A01309BFD724EBA4EC45EEF7B7CEF88600F144919BA06A6195E6709A048BA0
                        Function 035BC060 Relevance: 19.7, APIs: 13, Instructions: 179memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GlobalAlloc.KERNEL32(00000002,?,F17FF389,?,00000000,?), ref: 035BC09E
                        • GlobalLock.KERNEL32(00000000), ref: 035BC0AA
                        • GlobalUnlock.KERNEL32(00000000), ref: 035BC0BF
                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 035BC0D5
                        • EnterCriticalSection.KERNEL32(035DFB64), ref: 035BC113
                        • LeaveCriticalSection.KERNEL32(035DFB64), ref: 035BC124
                          • Part of subcall function 035B9DE0: GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 035B9E04
                          • Part of subcall function 035B9DE0: GdipDisposeImage.GDIPLUS(?), ref: 035B9E18
                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 035BC14C
                          • Part of subcall function 035BA460: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 035BA48D
                          • Part of subcall function 035BA460: _free.LIBCMT ref: 035BA503
                        • GetHGlobalFromStream.OLE32(?,?), ref: 035BC16D
                        • GlobalLock.KERNEL32(?), ref: 035BC177
                        • GlobalFree.KERNEL32(00000000), ref: 035BC18F
                          • Part of subcall function 035B9BA0: DeleteObject.GDI32(?), ref: 035B9BD2
                          • Part of subcall function 035B9BA0: EnterCriticalSection.KERNEL32(035DFB64,?,?,?,035B9B7B), ref: 035B9BE3
                          • Part of subcall function 035B9BA0: EnterCriticalSection.KERNEL32(035DFB64,?,?,?,035B9B7B), ref: 035B9BF8
                          • Part of subcall function 035B9BA0: GdiplusShutdown.GDIPLUS(00000000,?,?,?,035B9B7B), ref: 035B9C04
                          • Part of subcall function 035B9BA0: LeaveCriticalSection.KERNEL32(035DFB64,?,?,?,035B9B7B), ref: 035B9C15
                          • Part of subcall function 035B9BA0: LeaveCriticalSection.KERNEL32(035DFB64,?,?,?,035B9B7B), ref: 035B9C1C
                        • GlobalSize.KERNEL32(00000000), ref: 035BC1A5
                        • GlobalUnlock.KERNEL32(?), ref: 035BC221
                        • GlobalFree.KERNEL32(00000000), ref: 035BC249
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$FreeFromImageLockSizeUnlock$AllocBitmapDeleteDisposeEncodersGdiplusObjectShutdown_free
                        • String ID:
                        • API String ID: 1483550337-0
                        • Opcode ID: a92aedfd873b479d8c31cebe98b46647ff3835c57a39d38256a742b70c99fc5b
                        • Instruction ID: 96c9164d9218798a1fe5f5136b5120aa6cfd7f798fa2d4fb8bd01ba62286e9f5
                        • Opcode Fuzzy Hash: a92aedfd873b479d8c31cebe98b46647ff3835c57a39d38256a742b70c99fc5b
                        • Instruction Fuzzy Hash: A7614CB5D01259AFDB10EFE9E884DDEBBB8FF89700F108529E515A7224DB309905CF50
                        Function 035B6490 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 144registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 035B64C2
                        • RegOpenKeyExW.KERNEL32(80000001,Software\Tencent\Plugin\VAS,00000000,000F003F,?), ref: 035B64E2
                        • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 035B6524
                        • _memset.LIBCMT ref: 035B6560
                        • _memset.LIBCMT ref: 035B658E
                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000AD4,75A773E0), ref: 035B65BA
                        • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75A773E0), ref: 035B65C3
                        • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75A773E0), ref: 035B65D5
                        • RegCloseKey.ADVAPI32(?,00000000,00000AD4,75A773E0), ref: 035B6625
                        • lstrlenW.KERNEL32(?), ref: 035B6635
                        Strings
                        • Software\Tencent\Plugin\VAS, xrefs: 035B64D8
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: _memsetlstrlen$CloseEnumInfoOpenQuery
                        • String ID: Software\Tencent\Plugin\VAS
                        • API String ID: 2921034913-3343197220
                        • Opcode ID: 2c478855c95e8ea9ab6482b2dc1f4adefbbc89ed9e51f5b260104dc816b8e96e
                        • Instruction ID: 356011fdb6d93c748760359107419e8e8475618ff7b77d65daa2ea8521073f5f
                        • Opcode Fuzzy Hash: 2c478855c95e8ea9ab6482b2dc1f4adefbbc89ed9e51f5b260104dc816b8e96e
                        • Instruction Fuzzy Hash: F441CBF5A40219ABDB34DB94DD85FEAB37CFB44700F0045D9E709B7091EA70AA858FA4
                        Function 035B6790 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 035B5320: InterlockedDecrement.KERNEL32(00000008), ref: 035B536F
                          • Part of subcall function 035B5320: SysFreeString.OLEAUT32(00000000), ref: 035B5384
                          • Part of subcall function 035B5320: SysAllocString.OLEAUT32(035D5148), ref: 035B53D5
                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,?,035D5148,035B69A4,035D5148,00000000,75A773E0), ref: 035B67F4
                        • GetLastError.KERNEL32 ref: 035B67FE
                        • GetProcessHeap.KERNEL32(00000008,?), ref: 035B6816
                        • HeapAlloc.KERNEL32(00000000), ref: 035B681D
                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,?,?), ref: 035B683F
                        • LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 035B6871
                        • GetLastError.KERNEL32 ref: 035B687B
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 035B68E6
                        • HeapFree.KERNEL32(00000000), ref: 035B68ED
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountDecrementInterlockedLookup
                        • String ID: NONE_MAPPED
                        • API String ID: 1317816589-2950899194
                        • Opcode ID: 3520fe91b8a0da93f431edccb4e56e29049f5a0f98e9b97ddeac987e5ff7812f
                        • Instruction ID: fd3b177ca8ace6104ea8626807ffcb37e69f07203054d58874031188cf83ae86
                        • Opcode Fuzzy Hash: 3520fe91b8a0da93f431edccb4e56e29049f5a0f98e9b97ddeac987e5ff7812f
                        • Instruction Fuzzy Hash: 254186B5901219AFD724DF64EC44FEEB3BDFB85700F404898F609A6150EA715A8A8B61
                        Function 003B6120 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 172sleepsynchronizationCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 003B7734: __fassign.LIBCMT ref: 003B772A
                        • Sleep.KERNEL32(00000000), ref: 003B615C
                          • Part of subcall function 003B70D7: _malloc.LIBCMT ref: 003B70F1
                        • Sleep.KERNEL32(00000000), ref: 003B62C1
                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 003B630D
                          • Part of subcall function 003B2C60: WSAStartup.WS2_32(00000202,?), ref: 003B2CBF
                          • Part of subcall function 003B2C60: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 003B2CCA
                          • Part of subcall function 003B2C60: InterlockedExchange.KERNEL32(00000018,00000000), ref: 003B2CD8
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 003B6357
                        • CloseHandle.KERNEL32(?), ref: 003B6375
                        • CloseHandle.KERNEL32(?), ref: 003B6382
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: CloseCreateEventHandleSleep$ExchangeInterlockedObjectSingleStartupWait__fassign_malloc
                        • String ID: 45.207.211.42$6666$t<
                        • API String ID: 3083163006-3420542246
                        • Opcode ID: 02e00f39bdea6b351dc8a97ac2bb45440a5478553e5bdd6e2f1de8c65793ec91
                        • Instruction ID: 860b417ee30a8f66f486122b9b7f83eab6bb7f05e72f06807d3d31a9f0decf6a
                        • Opcode Fuzzy Hash: 02e00f39bdea6b351dc8a97ac2bb45440a5478553e5bdd6e2f1de8c65793ec91
                        • Instruction Fuzzy Hash: 6351F4B1E45205AFDB02DFA4DC83EEEB778EF48314F100519F614EB692CB74A9018B91
                        Function 035BA460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150windowCOMMON
                        Download Yara Rule
                        APIs
                        • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 035BA48D
                        • _malloc.LIBCMT ref: 035BA4D1
                        • _free.LIBCMT ref: 035BA503
                        • GdipGetImageEncoders.GDIPLUS(?,?,00000008), ref: 035BA522
                        • GdipSaveImageToStream.GDIPLUS(00000000,?,?,00000000), ref: 035BA594
                        • GdipDisposeImage.GDIPLUS(00000000), ref: 035BA59F
                        • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 035BA5C5
                        • GdipDisposeImage.GDIPLUS(00000000), ref: 035BA5DD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Gdip$Image$DisposeEncoders$BitmapCreateFromSaveSizeStream_free_malloc
                        • String ID: &
                        • API String ID: 2794124522-3042966939
                        • Opcode ID: 5600b1eb2048d910c33d96f905fbee6807dfd83ed1205297dcf7471774bb3996
                        • Instruction ID: 2a23984319004546c887fbe5daf78e26c80fe96f57826d4fc257902d1e7daab3
                        • Opcode Fuzzy Hash: 5600b1eb2048d910c33d96f905fbee6807dfd83ed1205297dcf7471774bb3996
                        • Instruction Fuzzy Hash: A65164B5E002199FDF14DFA4E844EEEB7B8FF48700F148519E905AB260E734AA45CBE0
                        Function 003B52C0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123registrysleepCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 003B5392
                        • RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 003B53A2
                        • RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,003CC7D8,000012A0), ref: 003B53C0
                        • RegCloseKey.KERNEL32(?), ref: 003B53CB
                        • OpenProcess.KERNEL32(00000400,00000000,?), ref: 003B541F
                        • GetExitCodeProcess.KERNEL32(00000000,?), ref: 003B542B
                        • Sleep.KERNEL32(00000BB8), ref: 003B5444
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: OpenProcessValue$CloseCodeDeleteExitSleep
                        • String ID: IpDates_info$SOFTWARE
                        • API String ID: 864241144-2243437601
                        • Opcode ID: e5721ba5e46c2624a30485054fd289d8a207906fe52e77ee15be692694cd6667
                        • Instruction ID: 5c75085b1920cbd108ebf1b5177095cac8613fbc6c7b75cf52998c19e6124ddd
                        • Opcode Fuzzy Hash: e5721ba5e46c2624a30485054fd289d8a207906fe52e77ee15be692694cd6667
                        • Instruction Fuzzy Hash: 89413D326486409FD3138B319C15FF67BE8EB5634CF6D0448E689DAA82D370E842CB92
                        Function 003B52E9 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84registrysleepCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 003B5392
                        • RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 003B53A2
                        • RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,003CC7D8,000012A0), ref: 003B53C0
                        • RegCloseKey.KERNEL32(?), ref: 003B53CB
                        • OpenProcess.KERNEL32(00000400,00000000,?), ref: 003B541F
                        • GetExitCodeProcess.KERNEL32(00000000,?), ref: 003B542B
                        • Sleep.KERNEL32(00000BB8), ref: 003B5444
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: OpenProcessValue$CloseCodeDeleteExitSleep
                        • String ID: IpDates_info$SOFTWARE
                        • API String ID: 864241144-2243437601
                        • Opcode ID: 04091bc72d60f7db0b8cca93b59612bf03251f5f159d89b74af2d8dcd6513b28
                        • Instruction ID: 3658eb71eea975b9ca558d6d0ea3d2ce3df61fbdf56e10bb00be1fce35fe10e9
                        • Opcode Fuzzy Hash: 04091bc72d60f7db0b8cca93b59612bf03251f5f159d89b74af2d8dcd6513b28
                        • Instruction Fuzzy Hash: 2E31B9312487809FD727CB318815FF97BE56B5630DF5D048CE689DA692C370E986CB51
                        Function 035BCA70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,000F003F,035D12F8,F17FF389,00000001,00000000,00000000), ref: 035BCAB1
                        • RegQueryInfoKeyW.ADVAPI32(035D12F8,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 035BCAE0
                        • _memset.LIBCMT ref: 035BCB44
                        • _memset.LIBCMT ref: 035BCB53
                        • RegEnumValueW.KERNEL32(035D12F8,?,00000000,?,00000000,?,00000000,?), ref: 035BCB72
                          • Part of subcall function 035BF707: _malloc.LIBCMT ref: 035BF721
                          • Part of subcall function 035BF707: std::exception::exception.LIBCMT ref: 035BF756
                          • Part of subcall function 035BF707: std::exception::exception.LIBCMT ref: 035BF770
                          • Part of subcall function 035BF707: __CxxThrowException@8.LIBCMT ref: 035BF781
                        • RegCloseKey.KERNEL32(035D12F8,?,?,?,?,?,?,?,?,?,?,?,00000000,035D12F8,000000FF), ref: 035BCC83
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: _memsetstd::exception::exception$CloseEnumException@8InfoOpenQueryThrowValue_malloc
                        • String ID: Console\0
                        • API String ID: 1348767993-1253790388
                        • Opcode ID: 5c0b6ca0ae16aea0d5396fba3a9bfcd1bdfd19de4055536d3c4ef051dd793b4c
                        • Instruction ID: 5c00d95583f530eea77b5e186299f69790aa950154f15bc1e993001e7e0b8dde
                        • Opcode Fuzzy Hash: 5c0b6ca0ae16aea0d5396fba3a9bfcd1bdfd19de4055536d3c4ef051dd793b4c
                        • Instruction Fuzzy Hash: AF613EB5E01219AFDB04DFA8EC80EEEB7B8FF48310F14456AE915EB251D7349901CBA4
                        Function 035BBB00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 035BF707: _malloc.LIBCMT ref: 035BF721
                        • _memset.LIBCMT ref: 035BBB21
                        • GetLastInputInfo.USER32(?), ref: 035BBB37
                        • GetTickCount.KERNEL32 ref: 035BBB3D
                        • wsprintfW.USER32 ref: 035BBB66
                        • GetForegroundWindow.USER32 ref: 035BBB6F
                        • GetWindowTextW.USER32(00000000,00000020,000000FA), ref: 035BBB83
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Window$CountForegroundInfoInputLastTextTick_malloc_memsetwsprintf
                        • String ID: %d min
                        • API String ID: 3754759880-1947832151
                        • Opcode ID: b03b95bb4a38cee850e722c27185d012a58775817f2af9702a41b59fa26edc68
                        • Instruction ID: 05a85ddb8abe7fda28bf5d722ee620333e6066c7f68cd2d6213b3c7209f509a3
                        • Opcode Fuzzy Hash: b03b95bb4a38cee850e722c27185d012a58775817f2af9702a41b59fa26edc68
                        • Instruction Fuzzy Hash: 964192B5900219AFCB10DFA4EC89EDEBBB8FF44700F088555E9099B265D6749A04CBE1
                        Function 035B6910 Relevance: 12.1, APIs: 8, Instructions: 128COMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcessId.KERNEL32(F17FF389,00000000,00000000,75A773E0,?,00000000,035D10DB,000000FF,?,035B6AB3,00000000), ref: 035B6938
                        • OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,035D10DB,000000FF,?,035B6AB3,00000000), ref: 035B6947
                        • OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,035D10DB,000000FF,?,035B6AB3,00000000), ref: 035B6960
                        • CloseHandle.KERNEL32(00000000,?,00000000,035D10DB,000000FF,?,035B6AB3,00000000), ref: 035B696B
                        • SysStringLen.OLEAUT32(00000000), ref: 035B69BE
                        • SysStringLen.OLEAUT32(00000000), ref: 035B69CC
                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,035D10DB,000000FF), ref: 035B6A2E
                        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,035D10DB,000000FF), ref: 035B6A34
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseHandleProcess$OpenString$CurrentToken
                        • String ID:
                        • API String ID: 429299433-0
                        • Opcode ID: c131565447f3b7b09892dde7cc54ab00ea73e92bae77392ed2f8470d7436e0e7
                        • Instruction ID: 51362685855969011b792eff32369d3819523881281f586a8282db8ba1cedc7e
                        • Opcode Fuzzy Hash: c131565447f3b7b09892dde7cc54ab00ea73e92bae77392ed2f8470d7436e0e7
                        • Instruction Fuzzy Hash: 5541D4B2D00219DFCB11DFA8EC81AEEF7B8FB44700F144A2AE915E7260D7755905CBA0
                        Function 035B6D70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 035B6DD9
                        • RegOpenKeyExW.KERNEL32(80000001,035D5164,00000000,00020019,75A773E0), ref: 035B6DFC
                        • RegQueryValueExW.KERNEL32(75A773E0,GROUP,00000000,00000001,?,00000208), ref: 035B6E4A
                        • lstrcmpW.KERNEL32(?,035D5148), ref: 035B6E60
                        • lstrcpyW.KERNEL32(035B56EA,?), ref: 035B6E72
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: OpenQueryValue_memsetlstrcmplstrcpy
                        • String ID: GROUP
                        • API String ID: 2102619503-2593425013
                        • Opcode ID: 65ed6401504b463ba84f6b95cacd9651f6f3df26644447f1b8957c0c275be200
                        • Instruction ID: 809de1a5cee00f2e56727d563709056fdfe1553aca5c207183f07fe82ab61202
                        • Opcode Fuzzy Hash: 65ed6401504b463ba84f6b95cacd9651f6f3df26644447f1b8957c0c275be200
                        • Instruction Fuzzy Hash: 75316271901319AFDB30DF94EC89FDEB7B8FB48710F104699E519A61A0DB74AA84CF60
                        Function 035BFA29 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                        Download Yara Rule
                        APIs
                        • ___set_flsgetvalue.LIBCMT ref: 035BFA4E
                        • __calloc_crt.LIBCMT ref: 035BFA5A
                        • __getptd.LIBCMT ref: 035BFA67
                        • CreateThread.KERNEL32(00000000,00000000,035BF9C4,00000000,00000000,035BE003), ref: 035BFA9E
                        • GetLastError.KERNEL32(?,00000000,?,?,035BE003,00000000,00000000,035B5F40,00000000,00000000,00000000), ref: 035BFAA8
                        • _free.LIBCMT ref: 035BFAB1
                        • __dosmaperr.LIBCMT ref: 035BFABC
                          • Part of subcall function 035BF91B: __getptd_noexit.LIBCMT ref: 035BF91B
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                        • String ID:
                        • API String ID: 155776804-0
                        • Opcode ID: afb9f715df7d95e8b2de43453119cbedfc0fd80b353ddf62a45db1d125bdc396
                        • Instruction ID: b84236d0f56bba0779c32b57111869d7a580586bd0ccd431a91c0e44a7f3bc83
                        • Opcode Fuzzy Hash: afb9f715df7d95e8b2de43453119cbedfc0fd80b353ddf62a45db1d125bdc396
                        • Instruction Fuzzy Hash: 9811C23620174BBFDB25EFA5FC40DDB77B8FF84A68B14442AF9048A070DB71D8018660
                        Function 003B73DB Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                        Download Yara Rule
                        APIs
                        • ___set_flsgetvalue.LIBCMT ref: 003B7400
                        • __calloc_crt.LIBCMT ref: 003B740C
                        • __getptd.LIBCMT ref: 003B7419
                        • CreateThread.KERNEL32(?,?,003B7376,00000000,?,?), ref: 003B7450
                        • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 003B745A
                        • _free.LIBCMT ref: 003B7463
                        • __dosmaperr.LIBCMT ref: 003B746E
                          • Part of subcall function 003B72CD: __getptd_noexit.LIBCMT ref: 003B72CD
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                        • String ID:
                        • API String ID: 155776804-0
                        • Opcode ID: 4f6e6f8e1e508c490ddbcad36ad8a49786a2152226bec787d37d66502859293f
                        • Instruction ID: 06254993048e445c094fa9645710dbb8c59c157f9b3afaf1ba68ca48f21a1217
                        • Opcode Fuzzy Hash: 4f6e6f8e1e508c490ddbcad36ad8a49786a2152226bec787d37d66502859293f
                        • Instruction Fuzzy Hash: 7D11C232108706AFD713AFB59C41DDB3B98EF85368B11442AFB54CE951DB31D80186A1
                        Function 035BF9C4 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                        Download Yara Rule
                        APIs
                        • ___set_flsgetvalue.LIBCMT ref: 035BF9CA
                          • Part of subcall function 035C3CA0: TlsGetValue.KERNEL32(00000000,035C3DF9,?,035C4500,00000000,00000001,00000000,?,035C8DE6,00000018,035D6448,0000000C,035C8E76,00000000,00000000), ref: 035C3CA9
                          • Part of subcall function 035C3CA0: DecodePointer.KERNEL32(?,035C4500,00000000,00000001,00000000,?,035C8DE6,00000018,035D6448,0000000C,035C8E76,00000000,00000000,?,035C3F06,0000000D), ref: 035C3CBB
                          • Part of subcall function 035C3CA0: TlsSetValue.KERNEL32(00000000,?,035C4500,00000000,00000001,00000000,?,035C8DE6,00000018,035D6448,0000000C,035C8E76,00000000,00000000,?,035C3F06), ref: 035C3CCA
                        • ___fls_getvalue@4.LIBCMT ref: 035BF9D5
                          • Part of subcall function 035C3C80: TlsGetValue.KERNEL32(?,?,035BF9DA,00000000), ref: 035C3C8E
                        • ___fls_setvalue@8.LIBCMT ref: 035BF9E8
                          • Part of subcall function 035C3CD4: DecodePointer.KERNEL32(?,?,?,035BF9ED,00000000,?,00000000), ref: 035C3CE5
                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 035BF9F1
                        • ExitThread.KERNEL32 ref: 035BF9F8
                        • GetCurrentThreadId.KERNEL32 ref: 035BF9FE
                        • __freefls@4.LIBCMT ref: 035BFA1E
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                        • String ID:
                        • API String ID: 2383549826-0
                        • Opcode ID: 9a3ae50db08e83f931364149c22ec78ba6cf8a349be3a9ad387e8329deed3f4d
                        • Instruction ID: e761218e5bba5c22369aad22a3543ad4e1337c158e9c7112f6413ca0151d244a
                        • Opcode Fuzzy Hash: 9a3ae50db08e83f931364149c22ec78ba6cf8a349be3a9ad387e8329deed3f4d
                        • Instruction Fuzzy Hash: 7BF04F7C61138ABFC718FBB1E908C4E7BB8BE84248710C458E9058B231DA38D842C791
                        Function 003B7376 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                        Download Yara Rule
                        APIs
                        • ___set_flsgetvalue.LIBCMT ref: 003B737C
                          • Part of subcall function 003B9878: TlsGetValue.KERNEL32(7FFFFFFF,003B99D1,?,?,?,?,?,?,003BAF67,?,?,E07698D6,00000000,?,003B772F,?), ref: 003B9881
                          • Part of subcall function 003B9878: DecodePointer.KERNEL32(?,?,?,?,?,?,003BAF67,?,?,E07698D6,00000000,?,003B772F,?,00000000,0000000A), ref: 003B9893
                          • Part of subcall function 003B9878: TlsSetValue.KERNEL32(00000000,?,?,?,?,?,?,003BAF67,?,?,E07698D6,00000000,?,003B772F,?,00000000), ref: 003B98A2
                        • ___fls_getvalue@4.LIBCMT ref: 003B7387
                          • Part of subcall function 003B9858: TlsGetValue.KERNEL32(?,?,003B738C,00000000), ref: 003B9866
                        • ___fls_setvalue@8.LIBCMT ref: 003B739A
                          • Part of subcall function 003B98AC: DecodePointer.KERNEL32(?,?,?,003B739F,00000000,?,00000000), ref: 003B98BD
                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 003B73A3
                        • ExitThread.KERNEL32 ref: 003B73AA
                        • GetCurrentThreadId.KERNEL32 ref: 003B73B0
                        • __freefls@4.LIBCMT ref: 003B73D0
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                        • String ID:
                        • API String ID: 2383549826-0
                        • Opcode ID: 81a11599a630bd9a588eaf6fbcd41a9d5dae5cf9c4207983abbec992aff63b32
                        • Instruction ID: b8aa29dad7f309512b9fa94b616a10a5163504ef652ef036cf50e4c763f2b1eb
                        • Opcode Fuzzy Hash: 81a11599a630bd9a588eaf6fbcd41a9d5dae5cf9c4207983abbec992aff63b32
                        • Instruction Fuzzy Hash: C5F01D74404614ABC706AF71C94998E7BEDEE853487158459FB09CFA12DB38E8429BE1
                        Function 003B32E0 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON
                        Download Yara Rule
                        APIs
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 003B32F1
                        • Sleep.KERNEL32(00000258), ref: 003B32FE
                        • InterlockedExchange.KERNEL32(?,00000000), ref: 003B3306
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 003B3312
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 003B331A
                        • Sleep.KERNEL32(0000012C), ref: 003B332B
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
                        • String ID:
                        • API String ID: 3137405945-0
                        • Opcode ID: c2333a5155f12904282fc3e24a393f766e748dd69d09f5c05144973d1f1f7312
                        • Instruction ID: b2bff17abe67bb4cf2d6597c6e927a1455f53e626278099cf36c7dcae4eea359
                        • Opcode Fuzzy Hash: c2333a5155f12904282fc3e24a393f766e748dd69d09f5c05144973d1f1f7312
                        • Instruction Fuzzy Hash: F2F012722057146BD610ABA9DC84E56F3ACAF95774F204709F265D72E0CAB4F8418BA0
                        Function 035B6690 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110comCOMMON
                        Download Yara Rule
                        APIs
                        • CoInitialize.OLE32(00000000), ref: 035B669B
                        • CoCreateInstance.OLE32(035D46FC,00000000,00000001,035D471C,?,?,?,?,?,?,?,?,?,?,035B588A), ref: 035B66B2
                        • SysFreeString.OLEAUT32(?), ref: 035B674C
                        • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,035B588A), ref: 035B677D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateFreeInitializeInstanceStringUninitialize
                        • String ID: FriendlyName
                        • API String ID: 841178590-3623505368
                        • Opcode ID: 9d734b01910d8e20378a139045bf9c577502f905fc347ed39836cde888659f54
                        • Instruction ID: af3a896afbd886abc19dbaec94f3f0e6bcc5b607fc19908030b4ff44fc8d6641
                        • Opcode Fuzzy Hash: 9d734b01910d8e20378a139045bf9c577502f905fc347ed39836cde888659f54
                        • Instruction Fuzzy Hash: 3F312C75700209AFDB10DB99DC80EAEB7B9FF88704F148598F515EB264DB71E942CBA0
                        Function 035BF707 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                        Download Yara Rule
                        APIs
                        • _malloc.LIBCMT ref: 035BF721
                          • Part of subcall function 035BF673: __FF_MSGBANNER.LIBCMT ref: 035BF68C
                          • Part of subcall function 035BF673: __NMSG_WRITE.LIBCMT ref: 035BF693
                          • Part of subcall function 035BF673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,035C4500,00000000,00000001,00000000,?,035C8DE6,00000018,035D6448,0000000C,035C8E76), ref: 035BF6B8
                        • std::exception::exception.LIBCMT ref: 035BF756
                        • std::exception::exception.LIBCMT ref: 035BF770
                        • __CxxThrowException@8.LIBCMT ref: 035BF781
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                        • String ID: bad allocation
                        • API String ID: 615853336-2104205924
                        • Opcode ID: d573a4483dc2ac1a0c559496f0ed96b82a26d9605c56148bed0a80ade34577b7
                        • Instruction ID: bda633c546e90bb61dd47f130c0bddfe8708f199f6e868d99f0725f724954b4e
                        • Opcode Fuzzy Hash: d573a4483dc2ac1a0c559496f0ed96b82a26d9605c56148bed0a80ade34577b7
                        • Instruction Fuzzy Hash: CBF02874A0070A6FDB20FB58FC24EEE77B8BB80204F240059D811DA0B1DBB0CB05CBA0
                        Function 003B70D7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                        Download Yara Rule
                        APIs
                        • _malloc.LIBCMT ref: 003B70F1
                          • Part of subcall function 003B7043: __FF_MSGBANNER.LIBCMT ref: 003B705C
                          • Part of subcall function 003B7043: __NMSG_WRITE.LIBCMT ref: 003B7063
                          • Part of subcall function 003B7043: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,003BA0B0,?,00000001,?,?,003BC10B,00000018,003C7C70,0000000C,003BC19B), ref: 003B7088
                        • std::exception::exception.LIBCMT ref: 003B7126
                        • std::exception::exception.LIBCMT ref: 003B7140
                        • __CxxThrowException@8.LIBCMT ref: 003B7151
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                        • String ID: ma;h
                        • API String ID: 615853336-3737540487
                        • Opcode ID: a0375e0acf58102c64c2815c6515efbe29ca9dc4357ee673d60f456be81340eb
                        • Instruction ID: bd59633ec741f519fde11d13e059af298fa69142f5dac77a41970715330cd02d
                        • Opcode Fuzzy Hash: a0375e0acf58102c64c2815c6515efbe29ca9dc4357ee673d60f456be81340eb
                        • Instruction Fuzzy Hash: ACF0F43590450D6ADB17BB64DC02FDD3AAAEBC071CF10001AF600EA9D1CBB0AE80C751
                        Function 003B2D10 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                        • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 003B2D3C
                        • CancelIo.KERNEL32(?), ref: 003B2D46
                        • InterlockedExchange.KERNEL32(00000000,00000000), ref: 003B2D4F
                        • closesocket.WS2_32(?), ref: 003B2D59
                        • SetEvent.KERNEL32(00000001), ref: 003B2D63
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                        • String ID:
                        • API String ID: 1486965892-0
                        • Opcode ID: e22423916f22809ce575f573b49458ecf86aa2aea9a714f42654d1fc04881f57
                        • Instruction ID: 86bdec0285a2f8fa95cd175066c7b159698cd3df17d4fc466c4438a91279b506
                        • Opcode Fuzzy Hash: e22423916f22809ce575f573b49458ecf86aa2aea9a714f42654d1fc04881f57
                        • Instruction Fuzzy Hash: E9F03C76101B00AFD3209B54DC49F5677BCBB49B11F104A58F682D6690CAB0B9448BA0
                        Function 035B5320 Relevance: 4.6, APIs: 3, Instructions: 88memoryCOMMON
                        Download Yara Rule
                        APIs
                        • InterlockedDecrement.KERNEL32(00000008), ref: 035B536F
                        • SysFreeString.OLEAUT32(00000000), ref: 035B5384
                        • SysAllocString.OLEAUT32(035D5148), ref: 035B53D5
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: String$AllocDecrementFreeInterlocked
                        • String ID:
                        • API String ID: 3605875487-0
                        • Opcode ID: ce78ff72ea38a0ec0328d3faa0ec9b8b57850167af434c790f9fda2fa1664044
                        • Instruction ID: aefae1d63c80ff40767e4ce128543a4c1ec19c5dce203b3ba3d8ad6406f32f76
                        • Opcode Fuzzy Hash: ce78ff72ea38a0ec0328d3faa0ec9b8b57850167af434c790f9fda2fa1664044
                        • Instruction Fuzzy Hash: 86319F716017559BD724DF65E880B9AB7F8FB05B14F188929FC559B360E7B0E900CBA0
                        Function 035B3160 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 035B316B
                        • InterlockedExchange.KERNEL32(?,00000001), ref: 035B3183
                        • GetCurrentThreadId.KERNEL32 ref: 035B322F
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CurrentThread$ExchangeInterlocked
                        • String ID:
                        • API String ID: 4033114805-0
                        • Opcode ID: 2c4eb46de8da981b08009e29aebaa8a452d184776012a6a31fe20b3cbe73279d
                        • Instruction ID: d75ff22f140944ec1d71aaced668435c22d6e62ecb7008b7fb09fdfec2bfddab
                        • Opcode Fuzzy Hash: 2c4eb46de8da981b08009e29aebaa8a452d184776012a6a31fe20b3cbe73279d
                        • Instruction Fuzzy Hash: 51319F78200602DFC728DF69D994AA6B3F9FF84704B10C96DE85ADB624D731F842CB90
                        Function 003B3140 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 003B314B
                        • InterlockedExchange.KERNEL32(?,00000001), ref: 003B3163
                        • GetCurrentThreadId.KERNEL32 ref: 003B320F
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: CurrentThread$ExchangeInterlocked
                        • String ID:
                        • API String ID: 4033114805-0
                        • Opcode ID: caa487d17921e2fabaf206c676bb4b32a30704f16dd4c02b5f5039082fb33a32
                        • Instruction ID: b3766e470afb0e8af7b551fe362d5c70226bc435ddabcfaf874eb21e25419bd6
                        • Opcode Fuzzy Hash: caa487d17921e2fabaf206c676bb4b32a30704f16dd4c02b5f5039082fb33a32
                        • Instruction Fuzzy Hash: D1316B712006169FC716EF6DC895AAAB7E8FF44708B10C52DEA1ACBA15D731FD81CB90
                        Function 035B11B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                        Download Yara Rule
                        APIs
                        • __floor_pentium4.LIBCMT ref: 035B11E9
                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 035B1226
                        • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 035B1255
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$AllocFree__floor_pentium4
                        • String ID:
                        • API String ID: 2605973128-0
                        • Opcode ID: 7e3093693e13e3f5b69bc7f49e5f1da71fa2aa8911c77d0b86355c4099e78a80
                        • Instruction ID: aea5d87c54dc631e9f64d5f97f811a3245e82e2e1aa894bacaa1bd15e2143138
                        • Opcode Fuzzy Hash: 7e3093693e13e3f5b69bc7f49e5f1da71fa2aa8911c77d0b86355c4099e78a80
                        • Instruction Fuzzy Hash: 1321A771A007099FDB50DFAEE845B5EF7F8FF40705F0085ADE849D2650E730A9548754
                        Function 003B11B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                        Download Yara Rule
                        APIs
                        • __floor_pentium4.LIBCMT ref: 003B11E9
                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 003B1226
                        • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 003B1255
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: Virtual$AllocFree__floor_pentium4
                        • String ID:
                        • API String ID: 2605973128-0
                        • Opcode ID: 5808c99ae1c2a53f0acb491cca898fc3f38d6ff229e24bec9effa156cf86ac39
                        • Instruction ID: 088301f55e3bea3af41bbed6fe91ea2d0e6ef5ba6266bce37e33b8299303b261
                        • Opcode Fuzzy Hash: 5808c99ae1c2a53f0acb491cca898fc3f38d6ff229e24bec9effa156cf86ac39
                        • Instruction Fuzzy Hash: 0021C231B006099FDB119FADDC46BAEB7F8EF40705F00896DEA49D6A40E630A8508740
                        Function 035B1100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                        Download Yara Rule
                        APIs
                        • __floor_pentium4.LIBCMT ref: 035B112F
                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 035B115F
                        • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 035B1192
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$AllocFree__floor_pentium4
                        • String ID:
                        • API String ID: 2605973128-0
                        • Opcode ID: 64c713a226b05238546d6ba3aac99373717f23a4c0618d2fc7566f90d8bb3dcf
                        • Instruction ID: a3b29b7e5f7c48b57b2a87b7fdb40ad5bd62f5884654896359546ac9d4e7e6f7
                        • Opcode Fuzzy Hash: 64c713a226b05238546d6ba3aac99373717f23a4c0618d2fc7566f90d8bb3dcf
                        • Instruction Fuzzy Hash: 7A11D370A00709AFDB509FA9EC85B6EFBF8FF04705F0088A9E95AE2250E730A9148750
                        Function 003B1100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                        Download Yara Rule
                        APIs
                        • __floor_pentium4.LIBCMT ref: 003B112F
                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 003B115F
                        • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 003B1192
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: Virtual$AllocFree__floor_pentium4
                        • String ID:
                        • API String ID: 2605973128-0
                        • Opcode ID: 71e9524e4096bf712f4fcf289cd69b2d4ce3fb28032444adb90e38db6b281a92
                        • Instruction ID: 0571f8edccedeb6499141b21f425ccfd20b6095a001ffd6ebf108ddb54e4bb4f
                        • Opcode Fuzzy Hash: 71e9524e4096bf712f4fcf289cd69b2d4ce3fb28032444adb90e38db6b281a92
                        • Instruction Fuzzy Hash: F911D371E00709ABDB119FADDC86BAEFBF8EF04705F008569EE49D2640E630A9508B50
                        Function 035B9DE0 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON
                        Download Yara Rule
                        APIs
                        • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 035B9E04
                        • GdipDisposeImage.GDIPLUS(?), ref: 035B9E18
                        • GdipDisposeImage.GDIPLUS(?), ref: 035B9E3B
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Gdip$DisposeImage$BitmapCreateFromStream
                        • String ID:
                        • API String ID: 800915452-0
                        • Opcode ID: 5b2ff5fca99e7b4a42dd0361cbdf900bfd2ce29068ef4fd3a7ac2034f084cb88
                        • Instruction ID: ae6703dd69ffcf900098a49b7ff05bb7171868b2e2ce25e9290f8fa543d186cb
                        • Opcode Fuzzy Hash: 5b2ff5fca99e7b4a42dd0361cbdf900bfd2ce29068ef4fd3a7ac2034f084cb88
                        • Instruction Fuzzy Hash: 4CF0A471901229A7CB20EF98E844CEEF7B9FB49611B15454AFD05AB350D7305B15DBE0
                        Function 035B9AC0 Relevance: 4.5, APIs: 3, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                        • EnterCriticalSection.KERNEL32(035DFB64), ref: 035B9ADC
                        • GdiplusStartup.GDIPLUS(035DFB60,?,?), ref: 035B9B15
                        • LeaveCriticalSection.KERNEL32(035DFB64), ref: 035B9B26
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterGdiplusLeaveStartup
                        • String ID:
                        • API String ID: 389129658-0
                        • Opcode ID: 5409ad781aa2009841d3bf4d466bc5359e04fd6b6c5bdaf0927b699dcfa860eb
                        • Instruction ID: d592d9c9ef1f62b9315d6dbb326c1f3ccbe7422785f3c4da00ccb06f1241a0fe
                        • Opcode Fuzzy Hash: 5409ad781aa2009841d3bf4d466bc5359e04fd6b6c5bdaf0927b699dcfa860eb
                        • Instruction Fuzzy Hash: 4CF0243194220D9FEB20EFD5F82ABEEBBB8FB04301F040199E94556160C7B2015DDBE1
                        Function 003B7316 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON
                        Download Yara Rule
                        APIs
                        • __getptd_noexit.LIBCMT ref: 003B731B
                          • Part of subcall function 003B99BA: GetLastError.KERNEL32(?,7FFFFFFF,003B72D2,003BAF17,00000010,?,?,?,?,?,?,003BAF67,?,?,E07698D6,00000000), ref: 003B99BE
                          • Part of subcall function 003B99BA: ___set_flsgetvalue.LIBCMT ref: 003B99CC
                          • Part of subcall function 003B99BA: __calloc_crt.LIBCMT ref: 003B99E0
                          • Part of subcall function 003B99BA: DecodePointer.KERNEL32(00000000,?,?,?,?,?,?,003BAF67,?,?,E07698D6,00000000,?,003B772F,?,00000000), ref: 003B99FA
                          • Part of subcall function 003B99BA: GetCurrentThreadId.KERNEL32 ref: 003B9A10
                          • Part of subcall function 003B99BA: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,003BAF67,?,?,E07698D6,00000000,?,003B772F,?,00000000), ref: 003B9A28
                        • __freeptd.LIBCMT ref: 003B7325
                          • Part of subcall function 003B9B7C: TlsGetValue.KERNEL32(?,?,003B732A,00000000,?,003B7356,00000000), ref: 003B9B9D
                          • Part of subcall function 003B9B7C: TlsGetValue.KERNEL32(?,?,003B732A,00000000,?,003B7356,00000000), ref: 003B9BAF
                          • Part of subcall function 003B9B7C: DecodePointer.KERNEL32(00000000,?,003B732A,00000000,?,003B7356,00000000), ref: 003B9BC5
                          • Part of subcall function 003B9B7C: __freefls@4.LIBCMT ref: 003B9BD0
                          • Part of subcall function 003B9B7C: TlsSetValue.KERNEL32(00000004,00000000,?,003B732A,00000000,?,003B7356,00000000), ref: 003B9BE2
                        • ExitThread.KERNEL32 ref: 003B732E
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
                        • String ID:
                        • API String ID: 4224061863-0
                        • Opcode ID: ba05ab92eb7a652f3e88de41912c0e56949459321a1b067d59e0fbd74e5eaf0e
                        • Instruction ID: 48b76feef8b0ee7f7f696d911cdd00b9cfa73e9292543ce4d976c8ea4902bf7a
                        • Opcode Fuzzy Hash: ba05ab92eb7a652f3e88de41912c0e56949459321a1b067d59e0fbd74e5eaf0e
                        • Instruction Fuzzy Hash: EBC08C200042082A8E0237219C0EE8B3A9DD980304B8900197B0889521EE28E8408190
                        Function 034301CB Relevance: 3.3, APIs: 2, Instructions: 267memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 0343022B
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                        • Instruction ID: dd17e082d70e958bbb4421d50e349bb4817380cd56dec5e817e0acc765429803
                        • Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                        • Instruction Fuzzy Hash: CEA17371A00606DFDB14CF99C880AAEF7B5FF49704F1882AAE416DB751D730EA51CB94
                        Function 035B3360 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Time_memmovetime
                        • String ID:
                        • API String ID: 1463837790-0
                        • Opcode ID: 39b80b3d53b2bb46acd02acf480a987efd930e9d5602f1a9e44967119f75f351
                        • Instruction ID: cb6a779ff8740a12ff1b278fd172ccc5b374b1cf2d7d80ec001820646412bd3c
                        • Opcode Fuzzy Hash: 39b80b3d53b2bb46acd02acf480a987efd930e9d5602f1a9e44967119f75f351
                        • Instruction Fuzzy Hash: E651E37A7006069FD711CF69D8D4AABB7B9FF84210708866CE919AB720DB31F841CB90
                        Function 035B2FD0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                        Download Yara Rule
                        APIs
                        • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 035B3043
                        • recv.WS2_32(?,?,00040000,00000000), ref: 035B3064
                          • Part of subcall function 035BF91B: __getptd_noexit.LIBCMT ref: 035BF91B
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: __getptd_noexitrecvselect
                        • String ID:
                        • API String ID: 4248608111-0
                        • Opcode ID: 9b6e635b10f7d4fe2fc227d89747d8d6f42159af0df1ea40d02250d7c37dddd8
                        • Instruction ID: 558878d6867acc2a990fcb17cae22b833bc4fd3854aa8f5143e62c9e60d880df
                        • Opcode Fuzzy Hash: 9b6e635b10f7d4fe2fc227d89747d8d6f42159af0df1ea40d02250d7c37dddd8
                        • Instruction Fuzzy Hash: 8D21717450130CEBDB20EF69EC89BDA77B4FF44310F1805A5E5446B1B0D670AA85CBA1
                        Function 003B2FB0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                        Download Yara Rule
                        APIs
                        • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 003B3023
                        • recv.WS2_32(?,?,00040000,00000000), ref: 003B3044
                          • Part of subcall function 003B72CD: __getptd_noexit.LIBCMT ref: 003B72CD
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: __getptd_noexitrecvselect
                        • String ID:
                        • API String ID: 4248608111-0
                        • Opcode ID: afee571456bd47fe3fcda263874ec1b1be0d5fee3cfaff938bf7597c19512024
                        • Instruction ID: 6fe6d74f4cc49a6c8a7cac8ee2d5b23ea9d925661dc608d77867b0c9397a851e
                        • Opcode Fuzzy Hash: afee571456bd47fe3fcda263874ec1b1be0d5fee3cfaff938bf7597c19512024
                        • Instruction Fuzzy Hash: 0F21D670600228EBDB22EF28DC89FDA7774EF55318F1101A5E7059F591DBB0AE84CBA1
                        Function 035B3260 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON
                        Download Yara Rule
                        APIs
                        • send.WS2_32(?,?,00040000,00000000), ref: 035B3291
                        • send.WS2_32(?,?,?,00000000), ref: 035B32CE
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: send
                        • String ID:
                        • API String ID: 2809346765-0
                        • Opcode ID: 48d964b31b80f2d59c9c28fc25fcaa959950acb90946a1294913b572dedee465
                        • Instruction ID: 22cacdeed9c84393241aaa85b213dda67008b27bd6aa3f06ffb93e0d04826644
                        • Opcode Fuzzy Hash: 48d964b31b80f2d59c9c28fc25fcaa959950acb90946a1294913b572dedee465
                        • Instruction Fuzzy Hash: F711E17AB05304BBC720CA6EEC89B9AFBB9FB81264F144025EA48F72A0D27099459650
                        Function 003B3240 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON
                        Download Yara Rule
                        APIs
                        • send.WS2_32(?,?,00040000,00000000), ref: 003B3271
                        • send.WS2_32(?,?,?,00000000), ref: 003B32AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: send
                        • String ID:
                        • API String ID: 2809346765-0
                        • Opcode ID: 6fe61704add820cb038604dd6e9e607833d3b1f90152a6635e688686da87cee9
                        • Instruction ID: b274ed3cb485bbbb7712d8e4548ae16249c0f46f3165b0683202fde6e2afb9fb
                        • Opcode Fuzzy Hash: 6fe61704add820cb038604dd6e9e607833d3b1f90152a6635e688686da87cee9
                        • Instruction Fuzzy Hash: A211E572B05314A7C7228A2EDD88B9A779CEF41368F114521FB0CDF981D270AE419754
                        Function 035B30E0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: SleepTimetime
                        • String ID:
                        • API String ID: 346578373-0
                        • Opcode ID: a8a905f7ce08bcdc21a0b12342bb4ef1a636f482e65323a98e5f34c225490d06
                        • Instruction ID: 0a52bed5c8e4e68c1ecc98737b3f5bb6086c41e51fea752f1f34eb426d59901c
                        • Opcode Fuzzy Hash: a8a905f7ce08bcdc21a0b12342bb4ef1a636f482e65323a98e5f34c225490d06
                        • Instruction Fuzzy Hash: 2A01D435200246AFD311DF29E8C8BA9F7B9FB99301F184264D104571A0C731B9D6CBE1
                        Function 003B30C0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: SleepTimetime
                        • String ID:
                        • API String ID: 346578373-0
                        • Opcode ID: 0f0143488ddae2413f6972b88497a4f9bc24085ef8c736b3a1e68ba854db13ca
                        • Instruction ID: 6c1ebe6fc656509d948ebd0818c0a8f9fb02bd8bb6fe0a142694f7178da5dfdc
                        • Opcode Fuzzy Hash: 0f0143488ddae2413f6972b88497a4f9bc24085ef8c736b3a1e68ba854db13ca
                        • Instruction Fuzzy Hash: DE01B131A04629AFD712EF19D8C8BADB3A9FB59305F154228D20087590C771BEC5C7D1
                        Function 035BCD00 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                        Download Yara Rule
                        APIs
                        • HeapCreate.KERNEL32(00000004,00000000,00000000,035BE04E,00000000,035B9800,?,?,?,00000000,035D125B,000000FF,?,035BE04E), ref: 035BCD1B
                        • _free.LIBCMT ref: 035BCD56
                          • Part of subcall function 035B1280: __CxxThrowException@8.LIBCMT ref: 035B1290
                          • Part of subcall function 035B1280: DeleteCriticalSection.KERNEL32(00000000,035BD3E6,035D6624,?,?,035BD3E6,?,?,?,?,035D5A44,00000000), ref: 035B12A1
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                        • String ID:
                        • API String ID: 1116298128-0
                        • Opcode ID: bccf46df9f13502ab7b7988fc21a69924ce3a00b1e427aa355ea0b78a79ba3c0
                        • Instruction ID: fbeeb6cb0036f6a54dbfff5f8411f356fe013f64bceedf3c10671fac026ddafc
                        • Opcode Fuzzy Hash: bccf46df9f13502ab7b7988fc21a69924ce3a00b1e427aa355ea0b78a79ba3c0
                        • Instruction Fuzzy Hash: 09017EB4A01B408FD330DF6A9844A47FAF8FF98700B104A1ED6DAC6A20D370A105CF55
                        Function 003B65D0 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                        Download Yara Rule
                        APIs
                        • HeapCreate.KERNEL32(00000004,00000000,00000000,003B61A0,00000000,003B5B02), ref: 003B65EB
                        • _free.LIBCMT ref: 003B6626
                          • Part of subcall function 003B1280: __CxxThrowException@8.LIBCMT ref: 003B1290
                          • Part of subcall function 003B1280: DeleteCriticalSection.KERNEL32(00000000,FFFFFFFF,003C7E78,?,?,003B6601), ref: 003B12A1
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                        • String ID:
                        • API String ID: 1116298128-0
                        • Opcode ID: 5ed06e6a7d8b872b38fe139d7a13b5774f3a12145f6093ecbfca2e220783b1cc
                        • Instruction ID: 21aca9ed406f77f8940d24e06c37d18c0747e628a1f768d64ac353c5bd34b046
                        • Opcode Fuzzy Hash: 5ed06e6a7d8b872b38fe139d7a13b5774f3a12145f6093ecbfca2e220783b1cc
                        • Instruction Fuzzy Hash: FE017EF0A00B448FC3219F6A9844A47FAE8FF98714B104A1EE2DAC6A10D375A545CF55
                        Function 035BE480 Relevance: 3.0, APIs: 2, Instructions: 21synchronizationthreadCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • CreateThread.KERNEL32(00000000,00000000,035BDF10,00000000,00000000,00000000), ref: 035BE49B
                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,035C1168,?,?,?,?,?,?,035D6298,0000000C,035C1210,?), ref: 035BE4A9
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateObjectSingleThreadWait
                        • String ID:
                        • API String ID: 1891408510-0
                        • Opcode ID: 4400332410b923929681698ff08a57705c6fda6d52b2afcc82ebb0ec81ba1e7e
                        • Instruction ID: 54e4bb21b28e8ebcc2e866f869c03a9ba397813e01b0bb3c6b740a8287667d6a
                        • Opcode Fuzzy Hash: 4400332410b923929681698ff08a57705c6fda6d52b2afcc82ebb0ec81ba1e7e
                        • Instruction Fuzzy Hash: A8E05BB0544309BFDF10EB54FC86EBA33FCE704330B144655B910C6278D5319995AA60
                        Function 035BF983 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 035BF98F
                          • Part of subcall function 035C3E5B: __getptd_noexit.LIBCMT ref: 035C3E5E
                          • Part of subcall function 035C3E5B: __amsg_exit.LIBCMT ref: 035C3E6B
                          • Part of subcall function 035BF964: __getptd_noexit.LIBCMT ref: 035BF969
                          • Part of subcall function 035BF964: __freeptd.LIBCMT ref: 035BF973
                          • Part of subcall function 035BF964: ExitThread.KERNEL32 ref: 035BF97C
                        • __XcptFilter.LIBCMT ref: 035BF9B0
                          • Part of subcall function 035C418F: __getptd_noexit.LIBCMT ref: 035C4195
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                        • String ID:
                        • API String ID: 418257734-0
                        • Opcode ID: 6a94485b5ae7104fd31ced1ce835300669a2ee2814518af44f7f826a61b1a1e5
                        • Instruction ID: 7e3036e4712947b19a45b776ce1a6c289919c412938cdb7495789d0926c4a942
                        • Opcode Fuzzy Hash: 6a94485b5ae7104fd31ced1ce835300669a2ee2814518af44f7f826a61b1a1e5
                        • Instruction Fuzzy Hash: F5E046B8910342AFDB18EBE0E804E7D3734BF84A05F20014CE0016F2B0CA389840DA20
                        Function 003B7335 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 003B7341
                          • Part of subcall function 003B9A33: __getptd_noexit.LIBCMT ref: 003B9A36
                          • Part of subcall function 003B9A33: __amsg_exit.LIBCMT ref: 003B9A43
                          • Part of subcall function 003B7316: __getptd_noexit.LIBCMT ref: 003B731B
                          • Part of subcall function 003B7316: __freeptd.LIBCMT ref: 003B7325
                          • Part of subcall function 003B7316: ExitThread.KERNEL32 ref: 003B732E
                        • __XcptFilter.LIBCMT ref: 003B7362
                          • Part of subcall function 003B9D65: __getptd_noexit.LIBCMT ref: 003B9D6B
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                        • String ID:
                        • API String ID: 418257734-0
                        • Opcode ID: 041fccaba46a57fa7d8546f20ccc1e021a0b726d4ce46b32fc8e4162177c5d05
                        • Instruction ID: fcd1fa5f48999533d51318f884d6106d042399a9188a1cee2eda6477e3111233
                        • Opcode Fuzzy Hash: 041fccaba46a57fa7d8546f20ccc1e021a0b726d4ce46b32fc8e4162177c5d05
                        • Instruction Fuzzy Hash: 0DE0B6B59046009FE719BBA0C946FAD7765AF44705F20008AF6025B6A2CB75AD40DB20
                        Function 035C6403 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __lock.LIBCMT ref: 035C641B
                          • Part of subcall function 035C8E5B: __mtinitlocknum.LIBCMT ref: 035C8E71
                          • Part of subcall function 035C8E5B: __amsg_exit.LIBCMT ref: 035C8E7D
                          • Part of subcall function 035C8E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,035C3F06,0000000D,035D6340,00000008,035C3FFF,00000000,?,035C10F0,00000000,035D6278,00000008,035C1155,?), ref: 035C8E85
                        • __tzset_nolock.LIBCMT ref: 035C642C
                          • Part of subcall function 035C5D22: __lock.LIBCMT ref: 035C5D44
                          • Part of subcall function 035C5D22: ____lc_codepage_func.LIBCMT ref: 035C5D8B
                          • Part of subcall function 035C5D22: __getenv_helper_nolock.LIBCMT ref: 035C5DAD
                          • Part of subcall function 035C5D22: _free.LIBCMT ref: 035C5DE4
                          • Part of subcall function 035C5D22: _strlen.LIBCMT ref: 035C5DEB
                          • Part of subcall function 035C5D22: __malloc_crt.LIBCMT ref: 035C5DF2
                          • Part of subcall function 035C5D22: _strlen.LIBCMT ref: 035C5E08
                          • Part of subcall function 035C5D22: _strcpy_s.LIBCMT ref: 035C5E16
                          • Part of subcall function 035C5D22: __invoke_watson.LIBCMT ref: 035C5E2B
                          • Part of subcall function 035C5D22: _free.LIBCMT ref: 035C5E3A
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
                        • String ID:
                        • API String ID: 1828324828-0
                        • Opcode ID: eee17945fb6253c05b8c97675803e101bd8368d3cd53729d2e90617c44cbf341
                        • Instruction ID: 6d9862fa1ea65f708e86c8bcbbea73ad9118e7d6028b1797733768ed622f1f94
                        • Opcode Fuzzy Hash: eee17945fb6253c05b8c97675803e101bd8368d3cd53729d2e90617c44cbf341
                        • Instruction Fuzzy Hash: C4E08C78861392DEC622FBE2B582E5C7230FBC0E29B94025DE0501E0F0CBB04246D6A2
                        Function 035B6EBC Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegCloseKey.ADVAPI32(80000001,035B6E9A), ref: 035B6EC9
                        • RegCloseKey.ADVAPI32(75A773E0), ref: 035B6ED2
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID:
                        • API String ID: 3535843008-0
                        • Opcode ID: 638e549700e0303a7d4dcc4da32d14b48c96fb0a0b041f8137b674829571d024
                        • Instruction ID: 38ef8e6e0fbfc2ea25e1a2b86e7f99a6d6fa22f40a60ab530483e793c352cf42
                        • Opcode Fuzzy Hash: 638e549700e0303a7d4dcc4da32d14b48c96fb0a0b041f8137b674829571d024
                        • Instruction Fuzzy Hash: 3EC09B72D0103857CF10F7A4FD44D4D77B85F4C110F1144C2A104A3114C634BD41CF90
                        Function 003C4280 Relevance: 1.5, APIs: 1, Instructions: 22networkCOMMON
                        Download Yara Rule
                        APIs
                        • WSAStartup.WS2_32(00000202), ref: 003C429E
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: Startup
                        • String ID:
                        • API String ID: 724789610-0
                        • Opcode ID: e9b782ab051897104a6bc5beaea5cbd7090d942025c35643c1f6749643b80f97
                        • Instruction ID: 135b0700a03f0475bf63e7a2a845c093ffdfd99b04009477fe69d057503549ab
                        • Opcode Fuzzy Hash: e9b782ab051897104a6bc5beaea5cbd7090d942025c35643c1f6749643b80f97
                        • Instruction Fuzzy Hash: EAE04874A04208ABC706EFA5AD0BE8D77A8DB09310F40006DF905CB252DE7579148791

                        Non-executed Functions

                        Function 035BE850 Relevance: 72.1, APIs: 36, Strings: 5, Instructions: 311stringfilesynchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 035BE8A9
                        • Sleep.KERNEL32(00000001,?,?,?,035B604D), ref: 035BE8B3
                        • GetTickCount.KERNEL32 ref: 035BE8BF
                        • GetTickCount.KERNEL32 ref: 035BE8D2
                        • InterlockedExchange.KERNEL32(035E1F08,00000000), ref: 035BE8DA
                        • OpenClipboard.USER32(00000000), ref: 035BE8E2
                        • GetClipboardData.USER32(0000000D), ref: 035BE8EA
                        • GlobalSize.KERNEL32(00000000), ref: 035BE8FB
                        • GlobalLock.KERNEL32(00000000), ref: 035BE90C
                        • wsprintfW.USER32 ref: 035BE985
                        • _memset.LIBCMT ref: 035BE9A3
                        • GlobalUnlock.KERNEL32(00000000), ref: 035BE9AC
                        • CloseClipboard.USER32 ref: 035BE9B2
                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 035BE9CA
                        • CreateFileW.KERNEL32(035E0D80,40000000,00000002,00000000,00000004,00000002,00000000), ref: 035BE9E4
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 035BEA02
                        • lstrlenW.KERNEL32(035D5B48,?,00000000), ref: 035BEA16
                        • WriteFile.KERNEL32(00000000,035D5B48,00000000), ref: 035BEA25
                        • CloseHandle.KERNEL32(00000000), ref: 035BEA2C
                        • ReleaseMutex.KERNEL32(00000000), ref: 035BEA38
                        • GetKeyState.USER32(00000014), ref: 035BEABC
                        • lstrlenW.KERNEL32(035DB4A8), ref: 035BEB0B
                        • wsprintfW.USER32 ref: 035BEB1D
                        • lstrlenW.KERNEL32(035DB4D0), ref: 035BEB3E
                        • lstrlenW.KERNEL32(035DB4D0), ref: 035BEB61
                        • wsprintfW.USER32 ref: 035BEB7F
                        • wsprintfW.USER32 ref: 035BEB95
                        • wsprintfW.USER32 ref: 035BEBBF
                        • lstrlenW.KERNEL32(00000000), ref: 035BEC0B
                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 035BEC21
                        • CreateFileW.KERNEL32(035E0D80,40000000,00000002,00000000,00000004,00000002,00000000), ref: 035BEC3B
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 035BEC59
                        • lstrlenW.KERNEL32(00000000,?,00000000), ref: 035BEC69
                        • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 035BEC74
                        • CloseHandle.KERNEL32(00000000), ref: 035BEC7B
                        • ReleaseMutex.KERNEL32(00000000), ref: 035BEC88
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrlen$wsprintf$ClipboardCloseGlobal$CountCreateHandleMutexObjectPointerReleaseSingleTickWaitWrite_memset$DataExchangeInterlockedLockOpenSizeSleepStateUnlock
                        • String ID: [$%s%s$%s%s$%s%s$[esc]
                        • API String ID: 1637302245-2373594894
                        • Opcode ID: e4d82c2dc81d5efb1212ee7dfc1897dbec0e789bb0431e4d6a5ba514eed1a242
                        • Instruction ID: f308282defacfb79fc0d642ac441f2710ad75bd252034149538c0059d18852b1
                        • Opcode Fuzzy Hash: e4d82c2dc81d5efb1212ee7dfc1897dbec0e789bb0431e4d6a5ba514eed1a242
                        • Instruction Fuzzy Hash: 80C1E170501701AFD734EF65FC4AFEA77B8BB08700F084A58E15ADA2B4D770968ADB61
                        Function 035B77E0 Relevance: 68.5, APIs: 30, Strings: 9, Instructions: 240libraryloaderinjectionCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 035B7804
                        • _memset.LIBCMT ref: 035B7850
                        • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 035B7864
                          • Part of subcall function 035B8720: _vswprintf_s.LIBCMT ref: 035B8731
                        • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,75920630,?,75920F00), ref: 035B7893
                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000214,00000000,00000000,00000044,?), ref: 035B78DA
                          • Part of subcall function 035B7740: GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,035B78FC), ref: 035B7756
                          • Part of subcall function 035B7740: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,035B78FC,?,?,?,?,?,?,75920630), ref: 035B775D
                        • OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 035B790A
                        • _memset.LIBCMT ref: 035B7923
                        • LoadLibraryA.KERNEL32(Kernel32.dll,OpenProcess,?,?,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 035B793B
                        • GetProcAddress.KERNEL32(00000000), ref: 035B7944
                        • LoadLibraryA.KERNEL32(Kernel32.dll,ExitProcess,?,?,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 035B7956
                        • GetProcAddress.KERNEL32(00000000), ref: 035B7959
                        • LoadLibraryA.KERNEL32(Kernel32.dll,WinExec,?,?,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 035B796B
                        • GetProcAddress.KERNEL32(00000000), ref: 035B796E
                        • LoadLibraryA.KERNEL32(Kernel32.dll,WaitForSingleObject,?,?,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 035B7980
                        • GetProcAddress.KERNEL32(00000000), ref: 035B7983
                        • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 035B798B
                        • GetProcessId.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,75920630,?,75920F00), ref: 035B7992
                        • _memset.LIBCMT ref: 035B79B4
                        • GetModuleFileNameA.KERNEL32(00000000,?,000000FA,?,?,?,?,?,?,?,?,?,?,?,?,75920630), ref: 035B79CA
                        • VirtualAllocEx.KERNEL32(00000000,00000000,00000118,00003000,00000040), ref: 035B79FF
                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000118,00000000), ref: 035B7A1B
                        • VirtualProtectEx.KERNEL32(00000000,00000000,00000118,00000001,?), ref: 035B7A43
                        • VirtualAllocEx.KERNEL32(00000000,00000000,00001000,00003000,00000040), ref: 035B7A58
                        • WriteProcessMemory.KERNEL32(00000000,00000000,035B76F0,00001000,00000000), ref: 035B7A72
                        • VirtualProtectEx.KERNEL32(00000000,00000000,00001000,00000001,00000000), ref: 035B7A90
                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000), ref: 035B7AA1
                        • Sleep.KERNEL32(0000EA60,?,?,?,?,?,?,?,?,?,?,?,?,?,?,75920630), ref: 035B7ABA
                        • VirtualProtectEx.KERNEL32(00000000,00000000,00000118,00000040,00000000), ref: 035B7AD6
                        • VirtualProtectEx.KERNEL32(00000000,00000000,00001000,00000040,00000000), ref: 035B7AE8
                        • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,75920630), ref: 035B7AF1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$Virtual$AddressLibraryLoadProcProtect_memset$AllocCreateCurrentFileMemoryOpenThreadWrite$AttributesDirectoryModuleNameRemoteResumeSleepSystemToken_vswprintf_s
                        • String ID: %s%s$D$ExitProcess$Kernel32.dll$OpenProcess$WaitForSingleObject$WinExec$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
                        • API String ID: 4176418925-3213446972
                        • Opcode ID: c1b3788447b2797f0877a1f0a624b311c82b7d3df3b46f2fef4a22115dbc4fc6
                        • Instruction ID: 6852b98a3c5d2682772fe6e9aa41b434a98736c9718f6de0657a36f39e51e8aa
                        • Opcode Fuzzy Hash: c1b3788447b2797f0877a1f0a624b311c82b7d3df3b46f2fef4a22115dbc4fc6
                        • Instruction Fuzzy Hash: 3381A471A413587BD731EB65AC49FDE77BCBF99B00F004498F208A6191EBB09B85CB64
                        Function 003B5830 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135threadinjectionprocessCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 003B5859
                        • _memset.LIBCMT ref: 003B5878
                        • _memset.LIBCMT ref: 003B58AD
                        • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 003B58C1
                          • Part of subcall function 003B59F0: _vswprintf_s.LIBCMT ref: 003B5A01
                        • GetFileAttributesA.KERNEL32(?), ref: 003B58F0
                        • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 003B5938
                        • VirtualAllocEx.KERNEL32(?,00000000,000311BF,00003000,00000040,75920630), ref: 003B595E
                        • WriteProcessMemory.KERNEL32(?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,75920630), ref: 003B5978
                        • GetThreadContext.KERNEL32(?,?,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,75920630), ref: 003B5997
                        • SetThreadContext.KERNEL32(?,00010007,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,75920630), ref: 003B59B2
                        • ResumeThread.KERNEL32(?,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,75920630), ref: 003B59D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: Thread_memset$ContextProcess$AllocAttributesCreateDirectoryFileMemoryResumeSystemVirtualWrite_vswprintf_s
                        • String ID: %s%s$D$Windows\SysWOW64\tracerpt.exe$Windows\System32\tracerpt.exe
                        • API String ID: 2170139861-1986163084
                        • Opcode ID: a8481def356e4287a88ae0dd9211f093c484860cf6ce183fd251fad45550871b
                        • Instruction ID: b5456094b9d1163addafbd4c5f9e80237f1a6a96d2830b29d028278f269a8724
                        • Opcode Fuzzy Hash: a8481def356e4287a88ae0dd9211f093c484860cf6ce183fd251fad45550871b
                        • Instruction Fuzzy Hash: 6C4185B0A40318ABE721DF60DC85FEA77BCEF54704F00459DB64DE6581DBB4AA848F54
                        Function 035B7E50 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 131threadinjectionprocessCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 035B7E73
                        • _memset.LIBCMT ref: 035B7E9F
                        • _memset.LIBCMT ref: 035B7ED4
                        • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 035B7EE8
                          • Part of subcall function 035B8720: _vswprintf_s.LIBCMT ref: 035B8731
                        • GetFileAttributesA.KERNEL32(?), ref: 035B7F15
                        • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 035B7F65
                        • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 035B7F92
                        • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,00003000,00000040), ref: 035B7FAA
                        • GetThreadContext.KERNEL32(?,?,?,00000000,?,00003000,00000040), ref: 035B7FCC
                        • SetThreadContext.KERNEL32(?,00010007,?,00000000,?,00003000,00000040), ref: 035B7FEA
                        • ResumeThread.KERNEL32(?,?,00000000,?,00003000,00000040), ref: 035B7FFF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Thread_memset$ContextProcess$AllocAttributesCreateDirectoryFileMemoryResumeSystemVirtualWrite_vswprintf_s
                        • String ID: %s%s$D$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
                        • API String ID: 2170139861-2473635271
                        • Opcode ID: 32b4dd77d526ac37aa7d1bd3ec9a28e393aeada6bfcf0b7efdbeaa608955f795
                        • Instruction ID: aab87b8d7916769553d085e614778bd66c97f762975a69f35cab47620b019c6f
                        • Opcode Fuzzy Hash: 32b4dd77d526ac37aa7d1bd3ec9a28e393aeada6bfcf0b7efdbeaa608955f795
                        • Instruction Fuzzy Hash: 6D4194B1A00358ABDB31DB64EC85FDE77BCAB84700F0045D9A609A6190EBB09B85CF54
                        Function 035BE4F0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143synchronizationfilekeyboardCOMMON
                        Download Yara Rule
                        APIs
                        • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,035E0D80,7591E010,75922FA0,75920F00,?,035B6028,?,?), ref: 035BE519
                        • lstrcatW.KERNEL32(035E0D80,\DisplaySessionContainers.log,?,035B6028,?,?), ref: 035BE529
                        • CreateMutexW.KERNEL32(00000000,00000000,035E0D80,?,035B6028,?,?), ref: 035BE538
                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,035B6028,?,?), ref: 035BE546
                        • CreateFileW.KERNEL32(035E0D80,40000000,00000002,00000000,00000004,00000080,00000000,?,035B6028,?,?), ref: 035BE563
                        • GetFileSize.KERNEL32(00000000,00000000,?,035B6028,?,?), ref: 035BE56E
                        • CloseHandle.KERNEL32(00000000,?,035B6028,?,?), ref: 035BE577
                        • DeleteFileW.KERNEL32(035E0D80,?,035B6028,?,?), ref: 035BE58A
                        • ReleaseMutex.KERNEL32(00000000,?,035B6028,?,?), ref: 035BE597
                        • DirectInput8Create.DINPUT8(?,00000800,035D4934,035E1220,00000000,?,035B6028,?,?), ref: 035BE5B2
                        • GetTickCount.KERNEL32 ref: 035BE665
                        • GetKeyState.USER32(00000014), ref: 035BE672
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateFile$Mutex$CloseCountDeleteDirectFolderHandleInput8ObjectPathReleaseSingleSizeStateTickWaitlstrcat
                        • String ID: <$\DisplaySessionContainers.log
                        • API String ID: 1095970075-1170057892
                        • Opcode ID: e4a5b5b3981cb0b81b80db764794b4d4a6eac9e4cc7f5912b4c30db9548a46d8
                        • Instruction ID: 382a1d8b51d4a9f7f60ba77778d7e1272f26ad7accfceb842bdf68fbfaa77804
                        • Opcode Fuzzy Hash: e4a5b5b3981cb0b81b80db764794b4d4a6eac9e4cc7f5912b4c30db9548a46d8
                        • Instruction Fuzzy Hash: 9B419A70B41205AFD724EFAAFC4AF9E7BB4BB48700F104448F615DF2A4C6B1A506DBA4
                        Function 035B7620 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 69libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000020,?,?,?,?,?,?,?,?,035BDFA4), ref: 035B7637
                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,035BDFA4), ref: 035B763E
                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 035B765A
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 035B7677
                        • CloseHandle.KERNEL32(?), ref: 035B7681
                        • GetModuleHandleA.KERNEL32(NtDll.dll,NtSetInformationProcess,?,?,?,?,?,?,?,035BDFA4), ref: 035B7691
                        • GetProcAddress.KERNEL32(00000000), ref: 035B7698
                        • GetCurrentProcessId.KERNEL32 ref: 035B76BA
                        • OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 035B76C7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$CurrentHandleOpenToken$AddressAdjustCloseLookupModulePrivilegePrivilegesProcValue
                        • String ID: NtDll.dll$NtSetInformationProcess$SeDebugPrivilege
                        • API String ID: 1802016953-1577477132
                        • Opcode ID: a9848cb049a5888628e5cd3464f0f093cf00c7cbc0162400b1430a40aae9a5fb
                        • Instruction ID: 301e5a628a5ddd423c456327153d88b5a4a43ab1e42c5de14636880204975fb8
                        • Opcode Fuzzy Hash: a9848cb049a5888628e5cd3464f0f093cf00c7cbc0162400b1430a40aae9a5fb
                        • Instruction Fuzzy Hash: CD216071A41309AFD720EFE4EC0AFFE7778EB48700F404409FA05AA194DBB0595ADBA5
                        Function 035C054D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 92memorylibraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 035C0576
                        • GetSystemInfo.KERNEL32(?), ref: 035C058E
                        • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 035C059E
                        • GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 035C05AE
                        • VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004), ref: 035C0600
                        • VirtualProtect.KERNEL32(?,-00000001,00000104,?), ref: 035C0615
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$AddressAllocHandleInfoModuleProcProtectQuerySystem
                        • String ID: SetThreadStackGuarantee$kernel32.dll
                        • API String ID: 3290314748-423161677
                        • Opcode ID: 325c4f1005e35bd8a20dde4670ff104c2be376d71e782a82d205ac36b4cf2ad6
                        • Instruction ID: 901314f2bd76532849eebf130f2ddd139f3516454624b5c7bd73dc6b5295d092
                        • Opcode Fuzzy Hash: 325c4f1005e35bd8a20dde4670ff104c2be376d71e782a82d205ac36b4cf2ad6
                        • Instruction Fuzzy Hash: C431C2B1E01259EFDB20DBE4EC44AAEB7B8BB44749F140419E501E7090DB70EA44CB90
                        Function 035B7B70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60COMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 035B7B89
                        • OpenProcessToken.ADVAPI32(00000000), ref: 035B7B90
                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 035B7BB6
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 035B7BCC
                        • GetLastError.KERNEL32 ref: 035B7BD2
                        • CloseHandle.KERNEL32(?), ref: 035B7BE0
                        • CloseHandle.KERNEL32(?), ref: 035B7BFB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseHandleProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                        • String ID: SeShutdownPrivilege
                        • API String ID: 3435690185-3733053543
                        • Opcode ID: 51c02633fd659e65b1f8709ba9876ddd18817329ef7a4244528cd144ad5e791c
                        • Instruction ID: 1a6672167b6369cbe563a2ef1523b9de602962cb37c789038e4d23c1858275c1
                        • Opcode Fuzzy Hash: 51c02633fd659e65b1f8709ba9876ddd18817329ef7a4244528cd144ad5e791c
                        • Instruction Fuzzy Hash: 4311AB71A4120DABD720EFB4EC09FEE7778FF48700F404959F905AB194DA719915DBA0
                        Function 035BB3C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 26COMMON
                        Download Yara Rule
                        APIs
                        • OpenEventLogW.ADVAPI32(00000000,035D58C0), ref: 035BB3E7
                        • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 035BB3F2
                        • CloseEventLog.ADVAPI32(00000000), ref: 035BB3F9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Event$ClearCloseOpen
                        • String ID: Application$Security$System
                        • API String ID: 1391105993-2169399579
                        • Opcode ID: bc7151e7ccdb4dc9530b953df360ec10a745b1109f919ccdb64bb600ca545ba3
                        • Instruction ID: 55a775d9147cd48dea5fc248e8577952e2f6789beb3fdf51b08f8ff3f1dd485b
                        • Opcode Fuzzy Hash: bc7151e7ccdb4dc9530b953df360ec10a745b1109f919ccdb64bb600ca545ba3
                        • Instruction Fuzzy Hash: 26E02B327023144BC231DF09B844B1EF3F0FFCD305F140D19E54892124C770840A9BA6
                        Function 0343660F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: swprintf$_memset
                        • String ID: :$@
                        • API String ID: 1292703666-1367939426
                        • Opcode ID: 3d5004218d91dc4100e046b41ba34f0424eaff1e0d9aac26d7e5b183c8120afd
                        • Instruction ID: 764d9160b45b548a68b0477f9cdd0ae7b2267f4503446e8f32caa79fed9f268f
                        • Opcode Fuzzy Hash: 3d5004218d91dc4100e046b41ba34f0424eaff1e0d9aac26d7e5b183c8120afd
                        • Instruction Fuzzy Hash: 08315EB6D4021CABDB14CFE5CC85FEEB7B9FB88300F50421DE91AAB241E6746945CB94
                        Function 035B7740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,035B78FC), ref: 035B7756
                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,035B78FC,?,?,?,?,?,?,75920630), ref: 035B775D
                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 035B7785
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 035B77B9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                        • String ID: SeDebugPrivilege
                        • API String ID: 2349140579-2896544425
                        • Opcode ID: c5495a3a676528d1cb58b89bea20c53bce622a19663b9a36c98db5bec364d42a
                        • Instruction ID: a6193e1fd2c86c5fa0e71695a294ccc85f364c107b8379e1fe67acbd4f0c0904
                        • Opcode Fuzzy Hash: c5495a3a676528d1cb58b89bea20c53bce622a19663b9a36c98db5bec364d42a
                        • Instruction Fuzzy Hash: 9D115E71A4120DABDB10DFE4EC4AFEEB7B4FF48700F108558E506AB2A0EA75A515DB60
                        Function 035BF00A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsDebuggerPresent.KERNEL32 ref: 035C131C
                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 035C1331
                        • UnhandledExceptionFilter.KERNEL32(035D25B8), ref: 035C133C
                        • GetCurrentProcess.KERNEL32(C0000409), ref: 035C1358
                        • TerminateProcess.KERNEL32(00000000), ref: 035C135F
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                        • String ID:
                        • API String ID: 2579439406-0
                        • Opcode ID: 7d605c03e9cbe2172fd97823314b54c5178fe8cecd98de493aa1e2aa962e1f14
                        • Instruction ID: a37c3412c988b225e6086833da7ac4835e39f649e3e40cdf7afb75d69531fe22
                        • Opcode Fuzzy Hash: 7d605c03e9cbe2172fd97823314b54c5178fe8cecd98de493aa1e2aa962e1f14
                        • Instruction Fuzzy Hash: 1921DEB844B2049FC760EF68F445E483BA0BB08305F10845AE90A873B8EB7056BAEF55
                        Function 003B69D5 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsDebuggerPresent.KERNEL32 ref: 003B7A14
                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003B7A29
                        • UnhandledExceptionFilter.KERNEL32(003C534C), ref: 003B7A34
                        • GetCurrentProcess.KERNEL32(C0000409), ref: 003B7A50
                        • TerminateProcess.KERNEL32(00000000), ref: 003B7A57
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                        • String ID:
                        • API String ID: 2579439406-0
                        • Opcode ID: a67fcdd9bd61785517f270f79c699bcee85daa3cf3aaf463fb5af880b910ecae
                        • Instruction ID: 3c2be3c9f4259129950b974bb07c7df9f2766257aa94a6221c801ee45c4220fc
                        • Opcode Fuzzy Hash: a67fcdd9bd61785517f270f79c699bcee85daa3cf3aaf463fb5af880b910ecae
                        • Instruction Fuzzy Hash: 3721B3B5814A08DFD703DF69E98AE583BBCFB08359F51801AE508C7260EBB479818F06
                        Function 0343689F Relevance: 4.9, APIs: 3, Instructions: 410COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Xinvalid_argumentstd::_swprintf
                        • String ID:
                        • API String ID: 2109912724-0
                        • Opcode ID: 59eac40237c681db7278c1f57b37db5e31bea7865636ab552f4611946e0cc63a
                        • Instruction ID: 2016fbcf2bb77ce0df3b848a8248030512e2078f75c21a14ded263a591249f41
                        • Opcode Fuzzy Hash: 59eac40237c681db7278c1f57b37db5e31bea7865636ab552f4611946e0cc63a
                        • Instruction Fuzzy Hash: D9E16571E012269FDF24DE24CCC0BEEB775EB4A300F1545EAD95AAB384D630AE818F54
                        Function 034300CD Relevance: 2.6, Strings: 2, Instructions: 87COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: l$ntdl
                        • API String ID: 0-924918826
                        • Opcode ID: c362b51c53e3eeabca090c6237b61e6bcf708d1a3817c6eecd03a2daff8ddda5
                        • Instruction ID: 9e3f8cfd56413a8bea38690343bb7c0d11732242db12b872aa808315a0427bae
                        • Opcode Fuzzy Hash: c362b51c53e3eeabca090c6237b61e6bcf708d1a3817c6eecd03a2daff8ddda5
                        • Instruction Fuzzy Hash: 732101B5A006209FCF28DF54949862FBBF6EF4A710715829EE4069F354EB31C902C7D9
                        Function 035B24B0 Relevance: 1.7, Strings: 1, Instructions: 479COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: [RO] %ld bytes
                        • API String ID: 0-772938740
                        • Opcode ID: 1d078d80aacfdd234b43cfa58a6551d9b4399a74657bf09ae387352ecbe108fd
                        • Instruction ID: 9dd6c78130410aebc94a5aaf5a2a52b4f6462aa7bdeee7269372d4cda940443b
                        • Opcode Fuzzy Hash: 1d078d80aacfdd234b43cfa58a6551d9b4399a74657bf09ae387352ecbe108fd
                        • Instruction Fuzzy Hash: FA221874A00B05DFCB24CF69D584A9ABBF1FF48300F14896DD85A97765D770E981CBA0
                        Function 003B24B0 Relevance: 1.7, Strings: 1, Instructions: 479COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID:
                        • String ID: [RO] %ld bytes
                        • API String ID: 0-772938740
                        • Opcode ID: 523ca1c7fb6ad2e9aaebb195b77180b352def7788e9e3e9c65d96efb847ce3f2
                        • Instruction ID: ccf6864036e7ad8b6fc5b3d7dc3e70a823d8297076433898297e7865e413f6b0
                        • Opcode Fuzzy Hash: 523ca1c7fb6ad2e9aaebb195b77180b352def7788e9e3e9c65d96efb847ce3f2
                        • Instruction Fuzzy Hash: C8223870A00B05CFDB25CF69C584A9ABBF1FF88308F248A6DD99A97B55D770E841CB50
                        Function 035BB463 Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 035B7B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 035B7B89
                          • Part of subcall function 035B7B70: OpenProcessToken.ADVAPI32(00000000), ref: 035B7B90
                          • Part of subcall function 035B7B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 035B7BB6
                          • Part of subcall function 035B7B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 035B7BCC
                          • Part of subcall function 035B7B70: GetLastError.KERNEL32 ref: 035B7BD2
                          • Part of subcall function 035B7B70: CloseHandle.KERNEL32(?), ref: 035B7BE0
                        • ExitWindowsEx.USER32(00000005,00000000), ref: 035BB471
                          • Part of subcall function 035B7B70: CloseHandle.KERNEL32(?), ref: 035B7BFB
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                        • String ID:
                        • API String ID: 681424410-0
                        • Opcode ID: ae4e8e013efaf77b0b0936dc1b4d9b2c1868d18567560d0f788ec057f9ba18c6
                        • Instruction ID: 32c0d1549d88d614b3c3eb432f79447ac18b5373be279348d25775e9bc8bfbcc
                        • Opcode Fuzzy Hash: ae4e8e013efaf77b0b0936dc1b4d9b2c1868d18567560d0f788ec057f9ba18c6
                        • Instruction Fuzzy Hash: 53C08C3634120002D624B2B97822FAAB360FFC8322F0004ABA70A8C0E01C5284A509A6
                        Function 035BB41B Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 035B7B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 035B7B89
                          • Part of subcall function 035B7B70: OpenProcessToken.ADVAPI32(00000000), ref: 035B7B90
                          • Part of subcall function 035B7B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 035B7BB6
                          • Part of subcall function 035B7B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 035B7BCC
                          • Part of subcall function 035B7B70: GetLastError.KERNEL32 ref: 035B7BD2
                          • Part of subcall function 035B7B70: CloseHandle.KERNEL32(?), ref: 035B7BE0
                        • ExitWindowsEx.USER32(00000004,00000000), ref: 035BB429
                          • Part of subcall function 035B7B70: CloseHandle.KERNEL32(?), ref: 035B7BFB
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                        • String ID:
                        • API String ID: 681424410-0
                        • Opcode ID: 159a71f85f5e71a07b13be80726dcb6c461cc4d9ff82b3525d48cbeccd069a7b
                        • Instruction ID: b9de70cd27d0a7f3f8b386c40512f5c872d045da5d1d1f8b026688b0ef9694e4
                        • Opcode Fuzzy Hash: 159a71f85f5e71a07b13be80726dcb6c461cc4d9ff82b3525d48cbeccd069a7b
                        • Instruction Fuzzy Hash: 8EC08C3634120106D624B3B97822FA9B360FFC8322F0004ABA70A8C0E01C6284A505AA
                        Function 035BB43F Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 035B7B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 035B7B89
                          • Part of subcall function 035B7B70: OpenProcessToken.ADVAPI32(00000000), ref: 035B7B90
                          • Part of subcall function 035B7B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 035B7BB6
                          • Part of subcall function 035B7B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 035B7BCC
                          • Part of subcall function 035B7B70: GetLastError.KERNEL32 ref: 035B7BD2
                          • Part of subcall function 035B7B70: CloseHandle.KERNEL32(?), ref: 035B7BE0
                        • ExitWindowsEx.USER32(00000006,00000000), ref: 035BB44D
                          • Part of subcall function 035B7B70: CloseHandle.KERNEL32(?), ref: 035B7BFB
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                        • String ID:
                        • API String ID: 681424410-0
                        • Opcode ID: 8cc8bac94710db54688e01a40113e337e558d8e6db4c3a5cf839f5984aad5761
                        • Instruction ID: 5ccd01f8df3345e23fb967283e05f2ca3852fcde2b2fa5ee6a29239c47358147
                        • Opcode Fuzzy Hash: 8cc8bac94710db54688e01a40113e337e558d8e6db4c3a5cf839f5984aad5761
                        • Instruction Fuzzy Hash: A1C08C3634120002D624B2B97822FAAB360FFC8322F0004ABA60A8C0E01C5384A545A6
                        Function 003B6510 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                        Download Yara Rule
                        APIs
                        • IsDebuggerPresent.KERNEL32 ref: 003B6513
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: DebuggerPresent
                        • String ID:
                        • API String ID: 1347740429-0
                        • Opcode ID: b5794c788a3c883fa408ab20b2ce34775c9182e047625b74317b55d92f8eebca
                        • Instruction ID: 3fc9c1faf426bf1dee38a08a2739e3e1367c5b0e9af5e3845ccc153b16a73c7b
                        • Opcode Fuzzy Hash: b5794c788a3c883fa408ab20b2ce34775c9182e047625b74317b55d92f8eebca
                        • Instruction Fuzzy Hash: 67C08C722402084A4A12EBA0AC02966B78C5B603407004036E70ECA892DA25F860C6A8
                        Function 003BAFAE Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(Function_0000AF6C), ref: 003BAFB3
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: 32b5d527c82307de1806c84ce5e9b31ccac42ac93c100cfb52108dd83b39a3b6
                        • Instruction ID: 6388664b82f71d1d8ea6e3f95d9892d06202d8f5ae690c2a5a6703439bb50a1c
                        • Opcode Fuzzy Hash: 32b5d527c82307de1806c84ce5e9b31ccac42ac93c100cfb52108dd83b39a3b6
                        • Instruction Fuzzy Hash: 239002E0651D105A470217745C098D526946E48716B810450E145C4454DB50608A9652
                        Function 003C42C7 Relevance: 1.3, APIs: 1, Instructions: 8memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: HeapProcess
                        • String ID:
                        • API String ID: 54951025-0
                        • Opcode ID: e708e89b89522247868e37e8c2fd1287ab0051ba5414fe74ae103972ba79d093
                        • Instruction ID: c1f414f1a34d13fb5eb1e7b8da4ea7e418296df5ac7f0b330c093ef232baa739
                        • Opcode Fuzzy Hash: e708e89b89522247868e37e8c2fd1287ab0051ba5414fe74ae103972ba79d093
                        • Instruction Fuzzy Hash: C2C08CB4004E488ECF0B9FA0B81CF083BB9A39130DF10000EE002CA670C7743C84CB06
                        Function 035B8900 Relevance: .6, Instructions: 608COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d1a1e6fc09a70fee1dd0ac75ef5d7775d7f43c7fdce33bca143702215242b5be
                        • Instruction ID: f5d166d14c3a689f69f1bda9f993359e63602349d9803d38fd1d6100ab1e3f13
                        • Opcode Fuzzy Hash: d1a1e6fc09a70fee1dd0ac75ef5d7775d7f43c7fdce33bca143702215242b5be
                        • Instruction Fuzzy Hash: 50225177E5161A8BDB08CA95CC515D9B3E3BBC8314B1F9129C819E3305EE79BA478BC0
                        Function 034382BF Relevance: .6, Instructions: 608COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0b002d871f07078b8ecd3042a29fe254b9eb17322af0e689142c048de47cb17d
                        • Instruction ID: 81b803f4f7472252231712dd29638e98d2adaecedc5f9ed5fb2a04fe599606ee
                        • Opcode Fuzzy Hash: 0b002d871f07078b8ecd3042a29fe254b9eb17322af0e689142c048de47cb17d
                        • Instruction Fuzzy Hash: 46226277E5161A8BDB08CA95CC515D9B3E3BBC8314B1F9129C819E3305EE78BA478BC0
                        Function 03431E6F Relevance: .5, Instructions: 479COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3058a07df5aabf28338662ae90deeed0b5b0fbdf94db8f937aae2d4e448f9d9a
                        • Instruction ID: fc460c5fcd08f35fb8beb51d7b424fbeae49c43892bcd1b6ee3906d1823d863b
                        • Opcode Fuzzy Hash: 3058a07df5aabf28338662ae90deeed0b5b0fbdf94db8f937aae2d4e448f9d9a
                        • Instruction Fuzzy Hash: D0223774A00B059FCB24CF69C980A9ABBF1FF49300F148A6ED95A9B755D370E881CB94
                        Function 035BB556 Relevance: 42.2, APIs: 8, Strings: 16, Instructions: 161registrysleepCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 035BF707: _malloc.LIBCMT ref: 035BF721
                        • RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002,?), ref: 035BB586
                        • RegDeleteValueW.ADVAPI32(?,IpDate), ref: 035BB596
                        • RegSetValueExW.ADVAPI32(?,IpDate,00000000,00000003,00000002,?), ref: 035BB5B3
                        • _memset.LIBCMT ref: 035BB5D4
                        • RegCloseKey.ADVAPI32(?), ref: 035BB61B
                        • _memset.LIBCMT ref: 035BB63C
                        • RegCloseKey.ADVAPI32(?), ref: 035BB72C
                        • Sleep.KERNEL32(000007D0), ref: 035BB737
                          • Part of subcall function 035BF707: std::exception::exception.LIBCMT ref: 035BF756
                          • Part of subcall function 035BF707: std::exception::exception.LIBCMT ref: 035BF770
                          • Part of subcall function 035BF707: __CxxThrowException@8.LIBCMT ref: 035BF781
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseValue_memsetstd::exception::exception$DeleteException@8OpenSleepThrow_malloc
                        • String ID: 127.0.0.1$45.207.211.42$45.207.211.42$6666$6666$Console$IpDate$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:
                        • API String ID: 1186799303-2370477372
                        • Opcode ID: ecc80f2569790376fab24d534ed1f3f96014d8a4f757ab035e35b4d7925d4c0c
                        • Instruction ID: aa1588db823034bf70640b62fc1a1d5b6a8bbfdeb756a9df2e8c707a3412a4c1
                        • Opcode Fuzzy Hash: ecc80f2569790376fab24d534ed1f3f96014d8a4f757ab035e35b4d7925d4c0c
                        • Instruction Fuzzy Hash: EC4190757813017FE220EB14BC87F9E7378BF85B14F144414FA196E2A2E6A0B91586A6
                        Function 035C4014 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,035C0FC1,035D6278,00000008,035C1155,?,?,?,035D6298,0000000C,035C1210,?), ref: 035C401C
                        • __mtterm.LIBCMT ref: 035C4028
                          • Part of subcall function 035C3CF1: DecodePointer.KERNEL32(00000006,035C1084,035C106A,035D6278,00000008,035C1155,?,?,?,035D6298,0000000C,035C1210,?), ref: 035C3D02
                          • Part of subcall function 035C3CF1: TlsFree.KERNEL32(00000013,035C1084,035C106A,035D6278,00000008,035C1155,?,?,?,035D6298,0000000C,035C1210,?), ref: 035C3D1C
                          • Part of subcall function 035C3CF1: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,035C1084,035C106A,035D6278,00000008,035C1155,?,?,?,035D6298,0000000C,035C1210,?), ref: 035C8D48
                          • Part of subcall function 035C3CF1: _free.LIBCMT ref: 035C8D4B
                          • Part of subcall function 035C3CF1: DeleteCriticalSection.KERNEL32(00000013,?,?,035C1084,035C106A,035D6278,00000008,035C1155,?,?,?,035D6298,0000000C,035C1210,?), ref: 035C8D72
                        • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 035C403E
                        • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 035C404B
                        • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 035C4058
                        • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 035C4065
                        • TlsAlloc.KERNEL32(?,?,035C0FC1,035D6278,00000008,035C1155,?,?,?,035D6298,0000000C,035C1210,?), ref: 035C40B5
                        • TlsSetValue.KERNEL32(00000000,?,?,035C0FC1,035D6278,00000008,035C1155,?,?,?,035D6298,0000000C,035C1210,?), ref: 035C40D0
                        • __init_pointers.LIBCMT ref: 035C40DA
                        • EncodePointer.KERNEL32(?,?,035C0FC1,035D6278,00000008,035C1155,?,?,?,035D6298,0000000C,035C1210,?), ref: 035C40EB
                        • EncodePointer.KERNEL32(?,?,035C0FC1,035D6278,00000008,035C1155,?,?,?,035D6298,0000000C,035C1210,?), ref: 035C40F8
                        • EncodePointer.KERNEL32(?,?,035C0FC1,035D6278,00000008,035C1155,?,?,?,035D6298,0000000C,035C1210,?), ref: 035C4105
                        • EncodePointer.KERNEL32(?,?,035C0FC1,035D6278,00000008,035C1155,?,?,?,035D6298,0000000C,035C1210,?), ref: 035C4112
                        • DecodePointer.KERNEL32(Function_00013E75,?,?,035C0FC1,035D6278,00000008,035C1155,?,?,?,035D6298,0000000C,035C1210,?), ref: 035C4133
                        • __calloc_crt.LIBCMT ref: 035C4148
                        • DecodePointer.KERNEL32(00000000,?,?,035C0FC1,035D6278,00000008,035C1155,?,?,?,035D6298,0000000C,035C1210,?), ref: 035C4162
                        • GetCurrentThreadId.KERNEL32 ref: 035C4174
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                        • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                        • API String ID: 3698121176-3819984048
                        • Opcode ID: 97b141d989d2165a8c4dd4a6a73c297848d99a6135c3f2741c583ce0b6372178
                        • Instruction ID: e322aaa458592ba529018b1a4843ec6c4514d535269344123867683545915605
                        • Opcode Fuzzy Hash: 97b141d989d2165a8c4dd4a6a73c297848d99a6135c3f2741c583ce0b6372178
                        • Instruction Fuzzy Hash: 123171B69513859ED725FFB7F808D297FA4FB44264B04052BE8209B1B4E7B0805AFF50
                        Function 003B9BEA Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,003B7822,003C7B80,00000014), ref: 003B9BF2
                        • __mtterm.LIBCMT ref: 003B9BFE
                          • Part of subcall function 003B98C9: DecodePointer.KERNEL32(00000005,003B9D60,?,003B7822,003C7B80,00000014), ref: 003B98DA
                          • Part of subcall function 003B98C9: TlsFree.KERNEL32(00000004,003B9D60,?,003B7822,003C7B80,00000014), ref: 003B98F4
                          • Part of subcall function 003B98C9: DeleteCriticalSection.KERNEL32(00000000,00000000,76EE5810,?,003B9D60,?,003B7822,003C7B80,00000014), ref: 003BC06D
                          • Part of subcall function 003B98C9: _free.LIBCMT ref: 003BC070
                          • Part of subcall function 003B98C9: DeleteCriticalSection.KERNEL32(00000004,76EE5810,?,003B9D60,?,003B7822,003C7B80,00000014), ref: 003BC097
                        • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 003B9C14
                        • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 003B9C21
                        • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 003B9C2E
                        • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 003B9C3B
                        • TlsAlloc.KERNEL32(?,003B7822,003C7B80,00000014), ref: 003B9C8B
                        • TlsSetValue.KERNEL32(00000000,?,003B7822,003C7B80,00000014), ref: 003B9CA6
                        • __init_pointers.LIBCMT ref: 003B9CB0
                        • EncodePointer.KERNEL32(?,003B7822,003C7B80,00000014), ref: 003B9CC1
                        • EncodePointer.KERNEL32(?,003B7822,003C7B80,00000014), ref: 003B9CCE
                        • EncodePointer.KERNEL32(?,003B7822,003C7B80,00000014), ref: 003B9CDB
                        • EncodePointer.KERNEL32(?,003B7822,003C7B80,00000014), ref: 003B9CE8
                        • DecodePointer.KERNEL32(Function_00009A4D,?,003B7822,003C7B80,00000014), ref: 003B9D09
                        • __calloc_crt.LIBCMT ref: 003B9D1E
                        • DecodePointer.KERNEL32(00000000,?,003B7822,003C7B80,00000014), ref: 003B9D38
                        • GetCurrentThreadId.KERNEL32 ref: 003B9D4A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                        • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                        • API String ID: 3698121176-3819984048
                        • Opcode ID: 04ae14a8cbf912fdfa6a082a9a66162646ce18c745619a4b14083cbfca86d33a
                        • Instruction ID: 27a0979d2aa43205d55ae449707605cd3c644ba702b8a5a7c6b1af11f5c43d48
                        • Opcode Fuzzy Hash: 04ae14a8cbf912fdfa6a082a9a66162646ce18c745619a4b14083cbfca86d33a
                        • Instruction Fuzzy Hash: EB3161319407159ACB23AB76BC4AF857FADAB46324F15051BE600D76B0DB74B441CF50
                        Function 035BC3A0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 170stringCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: _memset$_wcsrchrlstrcat$EnvironmentExpandStringslstrlenwsprintf
                        • String ID: "%1$%s\shell\open\command$D$WinSta0\Default
                        • API String ID: 3970221696-33419044
                        • Opcode ID: a471897ee733306f6bd710582089db5e2bd551da02bd18760fa96ce6b6a5b426
                        • Instruction ID: c6cd6dba6b3daca548cacd6ad6fa63b756a233bf01019cf67246e0d1ff4edf52
                        • Opcode Fuzzy Hash: a471897ee733306f6bd710582089db5e2bd551da02bd18760fa96ce6b6a5b426
                        • Instruction Fuzzy Hash: 52510DB195031D6ADB30E7A4EC45FEE737CBF54701F404598A609AA0E0EBB09784CFA6
                        Function 035B7C80 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 141libraryloaderfileCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryW.KERNEL32(wininet.dll), ref: 035B7CC3
                        • GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 035B7CD7
                        • FreeLibrary.KERNEL32(00000000), ref: 035B7CF7
                        • GetProcAddress.KERNEL32(00000000,InternetOpenUrlW), ref: 035B7D16
                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 035B7D53
                        • _memset.LIBCMT ref: 035B7D7E
                        • GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 035B7D8C
                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 035B7DDB
                        • CloseHandle.KERNEL32(?), ref: 035B7DF9
                        • Sleep.KERNEL32(00000001), ref: 035B7E01
                        • GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 035B7E0D
                        • FreeLibrary.KERNEL32(00000000), ref: 035B7E28
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite_memset
                        • String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
                        • API String ID: 1463273941-1099148085
                        • Opcode ID: 7c37de1c3990405ad39d04ff7344f60c136e2e19c1bc40b9670199e7ddd0906b
                        • Instruction ID: 2c86de9f46269851b3487955e385acb3e9c3a45c1e7efbc36799bebca600f12b
                        • Opcode Fuzzy Hash: 7c37de1c3990405ad39d04ff7344f60c136e2e19c1bc40b9670199e7ddd0906b
                        • Instruction Fuzzy Hash: B6419371A4121CAFD730EB64AC41FEEB3F8BF88700F14C5A9E658A6190DE705A468FD4
                        Function 003B6390 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 117libraryfileloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryW.KERNEL32(DbgHelp.dll), ref: 003B63AC
                        • GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 003B63BE
                        • FreeLibrary.KERNEL32(00000000), ref: 003B63CF
                        • _memset.LIBCMT ref: 003B63FF
                        • GetLocalTime.KERNEL32(?), ref: 003B640E
                        • wsprintfW.USER32 ref: 003B6455
                        • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000), ref: 003B6474
                        • FreeLibrary.KERNEL32(00000000), ref: 003B6482
                        • GetCurrentThreadId.KERNEL32 ref: 003B649B
                        • GetCurrentProcessId.KERNEL32(00000000,00000001,?,00000000,00000000), ref: 003B64CB
                        • GetCurrentProcess.KERNEL32(00000000,?,00000000,00000000), ref: 003B64D2
                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 003B64E0
                        • FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 003B64E7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: Library$CurrentFree$Process$AddressCloseCreateFileHandleLoadLocalProcThreadTime_memsetwsprintf
                        • String ID: !analyze -v$%s-%04d%02d%02d-%02d%02d%02d.dmp$DbgHelp.dll$MiniDumpWriteDump
                        • API String ID: 3529074497-3774911088
                        • Opcode ID: 51328c72a9c6a50d43f40d85dca8be152a8740aa925e5aaf359cf4525a341b5b
                        • Instruction ID: effc145effc6e862665617aeada0b42fde1efd954f7d3e35d83a447b560149c6
                        • Opcode Fuzzy Hash: 51328c72a9c6a50d43f40d85dca8be152a8740aa925e5aaf359cf4525a341b5b
                        • Instruction Fuzzy Hash: 8D41E671940228ABCB219B65AC4DFFE777CEF48715F004199F909E6181DB746A80CBA0
                        Function 035B4530 Relevance: 27.2, APIs: 18, Instructions: 247threadnetworksleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNEL32(00000064), ref: 035B455A
                        • timeGetTime.WINMM ref: 035B457B
                        • GetCurrentThreadId.KERNEL32 ref: 035B459B
                        • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 035B45BD
                        • SwitchToThread.KERNEL32 ref: 035B45D7
                        • SetEvent.KERNEL32(?), ref: 035B4620
                        • CloseHandle.KERNEL32(?), ref: 035B4644
                        • send.WS2_32(?,035D49C0,00000010,00000000), ref: 035B4668
                        • SetEvent.KERNEL32(?), ref: 035B4686
                        • InterlockedExchange.KERNEL32(?,00000000), ref: 035B4691
                        • WSACloseEvent.WS2_32(?), ref: 035B469F
                        • shutdown.WS2_32(?,00000001), ref: 035B46B3
                        • closesocket.WS2_32(?), ref: 035B46BD
                        • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 035B46F6
                        • SetLastError.KERNEL32(000005B4), ref: 035B470A
                        • GetCurrentThreadId.KERNEL32 ref: 035B472B
                        • InterlockedExchange.KERNEL32(?,00000001), ref: 035B4743
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: EventExchangeInterlockedThread$CloseCurrentErrorLast$CompareHandleSleepSwitchTimeclosesocketsendshutdowntime
                        • String ID:
                        • API String ID: 1692523546-0
                        • Opcode ID: 03f1adbb5916a98df87f7bcad908350e914172ca52d065ea6fbf37a37a03ad87
                        • Instruction ID: 94811fc8620762f7e38828917722285dc9bcb1efa3e975dc7c8717e23f5482de
                        • Opcode Fuzzy Hash: 03f1adbb5916a98df87f7bcad908350e914172ca52d065ea6fbf37a37a03ad87
                        • Instruction Fuzzy Hash: 8891B0B0200A16ABC734DF66E888BAAF7B9FF44701F148519E5168B6A5C730F496CBD0
                        Function 003B4520 Relevance: 27.2, APIs: 18, Instructions: 247threadnetworksleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNEL32(00000064), ref: 003B454A
                        • timeGetTime.WINMM ref: 003B456B
                        • GetCurrentThreadId.KERNEL32 ref: 003B458B
                        • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 003B45AD
                        • SwitchToThread.KERNEL32 ref: 003B45C7
                        • SetEvent.KERNEL32(?), ref: 003B4610
                        • CloseHandle.KERNEL32(?), ref: 003B4634
                        • send.WS2_32(?,003C7440,00000010,00000000), ref: 003B4658
                        • SetEvent.KERNEL32(?), ref: 003B4676
                        • InterlockedExchange.KERNEL32(?,00000000), ref: 003B4681
                        • WSACloseEvent.WS2_32(?), ref: 003B468F
                        • shutdown.WS2_32(?,00000001), ref: 003B46A3
                        • closesocket.WS2_32(?), ref: 003B46AD
                        • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 003B46E6
                        • SetLastError.KERNEL32(000005B4), ref: 003B46FA
                        • GetCurrentThreadId.KERNEL32 ref: 003B471B
                        • InterlockedExchange.KERNEL32(?,00000001), ref: 003B4733
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: EventExchangeInterlockedThread$CloseCurrentErrorLast$CompareHandleSleepSwitchTimeclosesocketsendshutdowntime
                        • String ID:
                        • API String ID: 1692523546-0
                        • Opcode ID: 034e3abff06beb08e9cc2b7acfb5fada9e94e504973204fa99e4a9e0fbc25480
                        • Instruction ID: 7a4f8fe831cb5bc5f2348f2997095c694966a5c45e84280c3cbb8db6d40b40b2
                        • Opcode Fuzzy Hash: 034e3abff06beb08e9cc2b7acfb5fada9e94e504973204fa99e4a9e0fbc25480
                        • Instruction Fuzzy Hash: BE91C271200A11AFC726DF64D888BEAB7A9FF45709F108119E616CBE52DB31F891CBD4
                        Function 035BA6F0 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 254COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: _memset$swprintf$_malloc
                        • String ID: %s %s$onlyloadinmyself$xiugaishiyong
                        • API String ID: 1873853019-2611285242
                        • Opcode ID: 5bbbbc2114b667629791046fe0e8275510d54f41ddc39b8f8815c1598e6a65a5
                        • Instruction ID: 297e7212bf2cf5c67cf7d7bb8410711043dd85cefb72124db8b3e9f59b413ccf
                        • Opcode Fuzzy Hash: 5bbbbc2114b667629791046fe0e8275510d54f41ddc39b8f8815c1598e6a65a5
                        • Instruction Fuzzy Hash: 9081B4B5A40301ABE720EF64FC86FAB77B4BF85710F184464ED185F293E771E91186A2
                        Function 035B5CC0 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 164windowCOMMON
                        Download Yara Rule
                        APIs
                        • IsWindowVisible.USER32(?), ref: 035B5CD3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: VisibleWindow
                        • String ID: ApateDNS$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
                        • API String ID: 1208467747-3439171801
                        • Opcode ID: d2bb1fcab69d3b571c8f90f0780d5acaf89f40c7bf995c601c163f0e6d29de6c
                        • Instruction ID: 0c39ac193fceed97866ee0fcbac292799ecdf5ca79ecc8ae0fb6312e9bc00856
                        • Opcode Fuzzy Hash: d2bb1fcab69d3b571c8f90f0780d5acaf89f40c7bf995c601c163f0e6d29de6c
                        • Instruction Fuzzy Hash: 8141C366E41312ADDAB1F5B57C02FDF216C7D6348AF0808A8FC08B9175F749D21A44EE
                        Function 035BDA30 Relevance: 21.3, APIs: 14, Instructions: 254COMMON
                        Download Yara Rule
                        APIs
                        • SetLastError.KERNEL32(0000000D,?,?,?,?,?,?,035BA8C1,?,?), ref: 035BDA43
                        • SetLastError.KERNEL32(000000C1,?,?,?,?,?,?,035BA8C1,?,?), ref: 035BDA62
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast
                        • String ID:
                        • API String ID: 1452528299-0
                        • Opcode ID: 5f5b918a53af4b40147b924f6aa46fd6dcc71b3a2bd8ac2d08ad548258fff7f4
                        • Instruction ID: 1c73b7845ab4b9a97040729f6da3ea2076eb93baa1db68c5b782abea1b207ccc
                        • Opcode Fuzzy Hash: 5f5b918a53af4b40147b924f6aa46fd6dcc71b3a2bd8ac2d08ad548258fff7f4
                        • Instruction Fuzzy Hash: 6D81FF727012059FD720DFA9E884BAAB7F8FB48315F084569E90ACB650E771E454CBD0
                        Function 003B5A30 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227timeCOMMON
                        Download Yara Rule
                        APIs
                        • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,E07698D6,00000000,?,00000000,003B61A0,00000000), ref: 003B5A75
                        • InitializeCriticalSectionAndSpinCount.KERNEL32(003B6300,00000000), ref: 003B5B14
                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 003B5B52
                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 003B5B77
                        • InitializeCriticalSectionAndSpinCount.KERNEL32(003B63A0,00000000), ref: 003B5C6F
                        • InitializeCriticalSectionAndSpinCount.KERNEL32(003B63B8,00000000), ref: 003B5C90
                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 003B5B9C
                          • Part of subcall function 003B1280: __CxxThrowException@8.LIBCMT ref: 003B1290
                          • Part of subcall function 003B1280: DeleteCriticalSection.KERNEL32(00000000,FFFFFFFF,003C7E78,?,?,003B6601), ref: 003B12A1
                        • InterlockedExchange.KERNEL32(003B61B8,00000000), ref: 003B5D01
                        • timeGetTime.WINMM ref: 003B5D07
                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 003B5D1B
                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 003B5D24
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: CreateEvent$CriticalSection$CountInitializeSpin$DeleteException@8ExchangeInterlockedThrowTimetime
                        • String ID: <t<
                        • API String ID: 1400036169-3054241171
                        • Opcode ID: 2704a6ed178c3ac6416dc438c066ff2747469fefb8804a2514f403643dab0b7f
                        • Instruction ID: ed83d71e667ed6b445ab1d199540dc346f9ae7a52be1ecd98efa8e73161b58d5
                        • Opcode Fuzzy Hash: 2704a6ed178c3ac6416dc438c066ff2747469fefb8804a2514f403643dab0b7f
                        • Instruction Fuzzy Hash: F8A1F6B0A01A46AFD715DF7AC884B9AFBE8FB08304F50462EE12DD7640D774A964CF90
                        Function 035BC5E0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 164registryCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 035BC63D
                        • _memset.LIBCMT ref: 035BC64C
                        • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,00000000), ref: 035BC66F
                          • Part of subcall function 035BC81E: RegCloseKey.ADVAPI32(80000000,035BC7FA), ref: 035BC82B
                          • Part of subcall function 035BC81E: RegCloseKey.ADVAPI32(00000000), ref: 035BC834
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close_memset$Open
                        • String ID: %08X
                        • API String ID: 4292648718-3773563069
                        • Opcode ID: 11d2306c911dd3fa81f05360409ff9340f1bc19afdf224a586fbacaccedbc588
                        • Instruction ID: 4c7582e3b1a85beab2b720a7745e95ef766d6b1f588916e83a68f32ddbc1d873
                        • Opcode Fuzzy Hash: 11d2306c911dd3fa81f05360409ff9340f1bc19afdf224a586fbacaccedbc588
                        • Instruction Fuzzy Hash: 6F5120F2A00219ABDB24EF90EC85FEA777CFB44704F40459DF605AA190D774AB45CBA4
                        Function 035B36F0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON
                        Download Yara Rule
                        APIs
                        • socket.WS2_32(00000002,00000002,00000011), ref: 035B3710
                        • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 035B3749
                        • setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 035B3766
                        • setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 035B3779
                        • WSACreateEvent.WS2_32 ref: 035B377B
                        • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,035E1F0C), ref: 035B378D
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,035E1F0C), ref: 035B3799
                        • lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,035E1F0C), ref: 035B37B8
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,035E1F0C), ref: 035B37C4
                        • gethostbyname.WS2_32(00000000), ref: 035B37D2
                        • htons.WS2_32(?), ref: 035B37F8
                        • WSAEventSelect.WS2_32(?,?,00000030), ref: 035B3816
                        • connect.WS2_32(?,?,00000010), ref: 035B382B
                        • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,035E1F0C), ref: 035B383A
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
                        • String ID:
                        • API String ID: 1455939504-0
                        • Opcode ID: bf666449234bef3fb584bfcd6669c4660ca9167079b97d47d99da0f67b5867db
                        • Instruction ID: c860783f39dbc1582ae14ee6c8220e8f3518af48e6f4856a6b7923795fb03b1d
                        • Opcode Fuzzy Hash: bf666449234bef3fb584bfcd6669c4660ca9167079b97d47d99da0f67b5867db
                        • Instruction Fuzzy Hash: B2418F75A41305ABE720EBA4DC89FBFB7B8FB88710F104518F711AB2E0C670A905DB61
                        Function 003B36D0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON
                        Download Yara Rule
                        APIs
                        • socket.WS2_32(00000002,00000002,00000011), ref: 003B36F0
                        • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 003B3729
                        • setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 003B3746
                        • setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 003B3759
                        • WSACreateEvent.WS2_32 ref: 003B375B
                        • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,003CDA88), ref: 003B376D
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,003CDA88), ref: 003B3779
                        • lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,003CDA88), ref: 003B3798
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,003CDA88), ref: 003B37A4
                        • gethostbyname.WS2_32(00000000), ref: 003B37B2
                        • htons.WS2_32(?), ref: 003B37D8
                        • WSAEventSelect.WS2_32(?,?,00000030), ref: 003B37F6
                        • connect.WS2_32(?,?,00000010), ref: 003B380B
                        • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,003CDA88), ref: 003B381A
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
                        • String ID:
                        • API String ID: 1455939504-0
                        • Opcode ID: 4043cf438e9234811c48725c3e8d91a4433aab9802d16ca04b5c74ad25df26b6
                        • Instruction ID: be0fb23ef37ccb85cd13d0fd47639758a83a6c3e08d2df60db7c9318c1db3e5e
                        • Opcode Fuzzy Hash: 4043cf438e9234811c48725c3e8d91a4433aab9802d16ca04b5c74ad25df26b6
                        • Instruction Fuzzy Hash: 65417FB1A00205ABD7119FA4DC8AFAFB7B8EB48714F104619FB15DA2D0CB74B944CB61
                        Function 035BAA10 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 190sleeptimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetLocalTime.KERNEL32(?,F17FF389), ref: 035BAA58
                        • wsprintfW.USER32 ref: 035BAA8F
                        • _memset.LIBCMT ref: 035BAAA7
                        • _memset.LIBCMT ref: 035BAABA
                          • Part of subcall function 035B8020: lstrlenW.KERNEL32(?), ref: 035B8038
                          • Part of subcall function 035B8020: _memset.LIBCMT ref: 035B8042
                          • Part of subcall function 035B8020: lstrlenW.KERNEL32(?), ref: 035B804B
                          • Part of subcall function 035B8020: lstrlenW.KERNEL32(?), ref: 035B8056
                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 035BABBE
                        • Sleep.KERNEL32(000003E8,?,?,?,?,?,?), ref: 035BAC6E
                        • CloseHandle.KERNEL32(?), ref: 035BACAA
                          • Part of subcall function 035BF707: _malloc.LIBCMT ref: 035BF721
                          • Part of subcall function 035B9730: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,F17FF389,00000000,?,?,?,00000000,035D125B,000000FF,?,035BE04E,00000000), ref: 035B9773
                          • Part of subcall function 035B9730: InitializeCriticalSectionAndSpinCount.KERNEL32(035BE1AE,00000000,?,?,?,00000000,035D125B,000000FF,?,035BE04E), ref: 035B9812
                          • Part of subcall function 035B9730: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,035D125B,000000FF,?,035BE04E), ref: 035B9850
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateEvent_memsetlstrlen$CloseCountCriticalHandleInitializeLocalSectionSleepSpinTime_mallocwsprintf
                        • String ID: %4d.%2d.%2d-%2d:%2d:%2d$o1:$p1:$t1:
                        • API String ID: 1254190970-1225219777
                        • Opcode ID: 2b23af1bca9c7ecb73af99d917b861097938ae92b58110caf50f626fa8df04b2
                        • Instruction ID: c0ab56d6fb392270df617c59824199b91a2318263bb973cdf8548f53e9c4f1d1
                        • Opcode Fuzzy Hash: 2b23af1bca9c7ecb73af99d917b861097938ae92b58110caf50f626fa8df04b2
                        • Instruction Fuzzy Hash: CA618EB1508341AFD370DF68E881EABB3F9BBC9614F004A1DF59997260EB309545CBA7
                        Function 035BC860 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 66registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.ADVAPI32(80000001,AppEvents,00000000,00000002,?), ref: 035BC889
                        • RegDeleteValueW.ADVAPI32(?), ref: 035BC894
                        • RegCloseKey.ADVAPI32(?), ref: 035BC8A4
                        • RegCreateKeyW.ADVAPI32(80000001,AppEvents,?), ref: 035BC8C3
                        • lstrlenW.KERNEL32(?), ref: 035BC8D1
                        • RegSetValueExW.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 035BC8E4
                        • RegCloseKey.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 035BC8F2
                        • RegCloseKey.ADVAPI32(?), ref: 035BC900
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close$Value$CreateDeleteOpenlstrlen
                        • String ID: AppEvents$Network
                        • API String ID: 3935456190-3733486940
                        • Opcode ID: 2811afc27550210626f60ef864d9b023a2a94b94b6879cf82b613a5e0a045594
                        • Instruction ID: 3d330c7aa32445de70bd72aa8409345ff101d1ebafe8b2885a6f307e5bb07764
                        • Opcode Fuzzy Hash: 2811afc27550210626f60ef864d9b023a2a94b94b6879cf82b613a5e0a045594
                        • Instruction Fuzzy Hash: E2116075B01204FBE720DAA9EC88FABB3BCEB05611F104949FA0197250D671AE15D7A4
                        Function 0343A0AF Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: _memset$swprintf$_malloc
                        • String ID:
                        • API String ID: 1873853019-0
                        • Opcode ID: 3f50267ee0d4530fbe0cb1d11835ce57543940fbe395791651446b52ed7773fe
                        • Instruction ID: 521f4a9621d7b1ced2881dec1a209ae8861ba66f3de98e3d4f6726369d111dc2
                        • Opcode Fuzzy Hash: 3f50267ee0d4530fbe0cb1d11835ce57543940fbe395791651446b52ed7773fe
                        • Instruction Fuzzy Hash: D78128B5980300AFE710EF54DC85F6B7764AF4A310F084069ED595F386E771E914C7AA
                        Function 035B4CB0 Relevance: 16.7, APIs: 11, Instructions: 156COMMON
                        Download Yara Rule
                        APIs
                        • SetLastError.KERNEL32(0000139F,F17FF389,?,?,?,?,00000000,000000FF,00000000), ref: 035B4CE6
                        • EnterCriticalSection.KERNEL32(?,F17FF389,?,?,?,?,00000000,000000FF,00000000), ref: 035B4D0D
                        • SetLastError.KERNEL32(0000139F,?,?,00000000,000000FF), ref: 035B4D21
                        • LeaveCriticalSection.KERNEL32(?,?,?,00000000,000000FF), ref: 035B4D28
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalErrorLastSection$EnterLeave
                        • String ID:
                        • API String ID: 2124651672-0
                        • Opcode ID: 3c76d30637082d6a75ca17ba0afaffadb079488c2dfd26cc7baa3abf5cae2ef1
                        • Instruction ID: e716498dc110a0c13b69a870d71b05ac66f4339a99689d7b138463d050f300ee
                        • Opcode Fuzzy Hash: 3c76d30637082d6a75ca17ba0afaffadb079488c2dfd26cc7baa3abf5cae2ef1
                        • Instruction Fuzzy Hash: D551DE76A047059FC324EFA9E884AAAFBF4FF88700F054A6EE91AC7750D731A414CB51
                        Function 003B4CA0 Relevance: 16.7, APIs: 11, Instructions: 156COMMON
                        Download Yara Rule
                        APIs
                        • SetLastError.KERNEL32(0000139F,E07698D6,?,?,?,?,00000000,000000FF,00000000), ref: 003B4CD6
                        • EnterCriticalSection.KERNEL32(?,E07698D6,?,?,?,?,00000000,000000FF,00000000), ref: 003B4CFD
                        • SetLastError.KERNEL32(0000139F,?,?,00000000,000000FF), ref: 003B4D11
                        • LeaveCriticalSection.KERNEL32(?,?,?,00000000,000000FF), ref: 003B4D18
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: CriticalErrorLastSection$EnterLeave
                        • String ID:
                        • API String ID: 2124651672-0
                        • Opcode ID: 968e63719df33d2b6e45d98411f67abf89bf8aeef7e18dbfe3da1946a45808ec
                        • Instruction ID: c2c8a6f10b889ac81affdab9fd47ebc18d10eb19088f644e65b454cc19fba8a1
                        • Opcode Fuzzy Hash: 968e63719df33d2b6e45d98411f67abf89bf8aeef7e18dbfe3da1946a45808ec
                        • Instruction Fuzzy Hash: 8251AF76A047009FC711DFA8E985BAAB7F4FB48715F00492EE60AC7B41DB75B804CB91
                        Function 0343BD5F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: _memset$_wcsrchr
                        • String ID: D
                        • API String ID: 170005318-2746444292
                        • Opcode ID: 2fbd54727e06274e944b63818dd284e46237165b468447c0c16789fbefc167a3
                        • Instruction ID: fb9949cf931c7521d2502564dcd63f412b6f6fefe57d1acd4cfc063af1ee4e26
                        • Opcode Fuzzy Hash: 2fbd54727e06274e944b63818dd284e46237165b468447c0c16789fbefc167a3
                        • Instruction Fuzzy Hash: 2551FA7194031D7ADB20EBA1CC85FEBB378DF19700F40459AA609AF180EB759684CF69
                        Function 035BE730 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 74stringtimeCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 035BE751
                        • GetForegroundWindow.USER32(?,759223A0,00000000), ref: 035BE759
                        • GetWindowTextW.USER32(00000000,035E16F0,00000800), ref: 035BE76F
                        • _memset.LIBCMT ref: 035BE78D
                        • lstrlenW.KERNEL32(035E16F0,?,?,?,?,759223A0,00000000), ref: 035BE7AC
                        • GetLocalTime.KERNEL32(?,?,?,?,?,759223A0,00000000), ref: 035BE7BD
                        • wsprintfW.USER32 ref: 035BE804
                          • Part of subcall function 035BE6B0: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,?,035BE815,?,?,?,?,759223A0,00000000), ref: 035BE6BD
                          • Part of subcall function 035BE6B0: CreateFileW.KERNEL32(035E0D80,40000000,00000002,00000000,00000004,00000002,00000000,?,?,035BE815,?,?,?,?,759223A0,00000000), ref: 035BE6D7
                          • Part of subcall function 035BE6B0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 035BE6F2
                          • Part of subcall function 035BE6B0: lstrlenW.KERNEL32(?,00000000,00000000), ref: 035BE6FF
                          • Part of subcall function 035BE6B0: WriteFile.KERNEL32(00000000,?,00000000), ref: 035BE70A
                          • Part of subcall function 035BE6B0: CloseHandle.KERNEL32(00000000), ref: 035BE711
                          • Part of subcall function 035BE6B0: ReleaseMutex.KERNEL32(00000000), ref: 035BE71E
                        • _memset.LIBCMT ref: 035BE820
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: File_memset$Windowlstrlen$CloseCreateForegroundHandleLocalMutexObjectPointerReleaseSingleTextTimeWaitWritewsprintf
                        • String ID: [
                        • API String ID: 2192163267-4056885943
                        • Opcode ID: 7114458bbc26c4ff51bb64fcd2e4a5a3ff074e27ad3e182a931e8ceea3e32922
                        • Instruction ID: bf0d7ca470c2d84a19483f20b90cc5a403349322a0968b6dad7d6c4c0e02b929
                        • Opcode Fuzzy Hash: 7114458bbc26c4ff51bb64fcd2e4a5a3ff074e27ad3e182a931e8ceea3e32922
                        • Instruction Fuzzy Hash: 4B21D675A00228AAC764EF94EC06EBE73BDFB44700F04C599B44496160EE705B9ADBE4
                        Function 035B3DE0 Relevance: 15.1, APIs: 10, Instructions: 117memorynetworkCOMMON
                        Download Yara Rule
                        APIs
                        • EnterCriticalSection.KERNEL32(?,?,?,?,035B398D,?,00000000,000000FF,00000000), ref: 035B3E05
                        • LeaveCriticalSection.KERNEL32(?,?,?,035B398D,?,00000000,000000FF,00000000), ref: 035B3E50
                        • send.WS2_32(?,000000FF,00000000,00000000), ref: 035B3E6E
                        • EnterCriticalSection.KERNEL32(?), ref: 035B3E81
                        • LeaveCriticalSection.KERNEL32(?), ref: 035B3E94
                        • HeapFree.KERNEL32(00000000,00000000,?,?,?,035B398D,?,00000000,000000FF,00000000), ref: 035B3EBC
                        • WSAGetLastError.WS2_32(?,?,035B398D,?,00000000,000000FF,00000000), ref: 035B3EC7
                        • EnterCriticalSection.KERNEL32(?,?,?,035B398D,?,00000000,000000FF,00000000), ref: 035B3EDB
                        • LeaveCriticalSection.KERNEL32(?), ref: 035B3F14
                        • HeapFree.KERNEL32(00000000,00000000,?), ref: 035B3F51
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$FreeHeap$ErrorLastsend
                        • String ID:
                        • API String ID: 1701177279-0
                        • Opcode ID: cff08f94ec2d102720521b0fb803c787545d89a5c6e736d414c850bbf5906544
                        • Instruction ID: f7beb3e4728e90a2c3025e135ce12379d70ec897ba5be7a89ab3eb15c84bb763
                        • Opcode Fuzzy Hash: cff08f94ec2d102720521b0fb803c787545d89a5c6e736d414c850bbf5906544
                        • Instruction Fuzzy Hash: 38412775105B059FC724DF78E8C8AE7B7F8BB48300F04896EE86EDB264DB31A4058B60
                        Function 003B3DC0 Relevance: 15.1, APIs: 10, Instructions: 117memorynetworkCOMMON
                        Download Yara Rule
                        APIs
                        • EnterCriticalSection.KERNEL32(?,?,?,?,003B396D,?,00000000,000000FF,00000000), ref: 003B3DE5
                        • LeaveCriticalSection.KERNEL32(?,?,?,003B396D,?,00000000,000000FF,00000000), ref: 003B3E30
                        • send.WS2_32(?,000000FF,00000000,00000000), ref: 003B3E4E
                        • EnterCriticalSection.KERNEL32(?), ref: 003B3E61
                        • LeaveCriticalSection.KERNEL32(?), ref: 003B3E74
                        • HeapFree.KERNEL32(00000000,00000000,?,?,?,003B396D,?,00000000,000000FF,00000000), ref: 003B3E9C
                        • WSAGetLastError.WS2_32(?,?,003B396D,?,00000000,000000FF,00000000), ref: 003B3EA7
                        • EnterCriticalSection.KERNEL32(?,?,?,003B396D,?,00000000,000000FF,00000000), ref: 003B3EBB
                        • LeaveCriticalSection.KERNEL32(?), ref: 003B3EF4
                        • HeapFree.KERNEL32(00000000,00000000,?), ref: 003B3F31
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: CriticalSection$EnterLeave$FreeHeap$ErrorLastsend
                        • String ID:
                        • API String ID: 1701177279-0
                        • Opcode ID: 7b1ede159434fc77b5950fea44a26b60b7bdda75afec23576674ce8b0e781168
                        • Instruction ID: 8cfd20073355bb3f8b4abb1c04f24ae0a4ba4f4c28d80709c9cdb33987080164
                        • Opcode Fuzzy Hash: 7b1ede159434fc77b5950fea44a26b60b7bdda75afec23576674ce8b0e781168
                        • Instruction Fuzzy Hash: 80413D72604A149FD722CF74D884AE7B7F8BB48304F54492EEA5ECB640D771F9418B50
                        Function 035B4F30 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON
                        Download Yara Rule
                        APIs
                        • WSASetLastError.WS2_32(0000000D,00000000,000000FF,00000000,000000FF,00000000), ref: 035B4F63
                        • EnterCriticalSection.KERNEL32(000002FF,00000000,000000FF,00000000,000000FF,00000000), ref: 035B4F78
                        • WSASetLastError.WS2_32(00002746), ref: 035B4F8A
                        • LeaveCriticalSection.KERNEL32(000002FF), ref: 035B4F91
                        • timeGetTime.WINMM ref: 035B4FBF
                        • timeGetTime.WINMM ref: 035B4FE7
                        • SetEvent.KERNEL32(?), ref: 035B5025
                        • InterlockedExchange.KERNEL32(?,00000001), ref: 035B5031
                        • LeaveCriticalSection.KERNEL32(000002FF), ref: 035B5038
                        • LeaveCriticalSection.KERNEL32(000002FF), ref: 035B504B
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
                        • String ID:
                        • API String ID: 1979691958-0
                        • Opcode ID: e72f9cfa6fb2f4c147c909effbd3fc34e30a05d2131d1b4da33866db5a4b7561
                        • Instruction ID: 12e50deaeba352e145d36d2d3e8143e3444c6f5dab920cf9c3da54b722457187
                        • Opcode Fuzzy Hash: e72f9cfa6fb2f4c147c909effbd3fc34e30a05d2131d1b4da33866db5a4b7561
                        • Instruction Fuzzy Hash: 704125716013048FC730EF6AE588ABAB7F9FF48310F084999E84AC7762E335E4558B41
                        Function 003B4F20 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON
                        Download Yara Rule
                        APIs
                        • WSASetLastError.WS2_32(0000000D,00000000,000000FF,00000000,000000FF,00000000), ref: 003B4F53
                        • EnterCriticalSection.KERNEL32(000002FF,00000000,000000FF,00000000,000000FF,00000000), ref: 003B4F68
                        • WSASetLastError.WS2_32(00002746), ref: 003B4F7A
                        • LeaveCriticalSection.KERNEL32(000002FF), ref: 003B4F81
                        • timeGetTime.WINMM ref: 003B4FAF
                        • timeGetTime.WINMM ref: 003B4FD7
                        • SetEvent.KERNEL32(?), ref: 003B5015
                        • InterlockedExchange.KERNEL32(?,00000001), ref: 003B5021
                        • LeaveCriticalSection.KERNEL32(000002FF), ref: 003B5028
                        • LeaveCriticalSection.KERNEL32(000002FF), ref: 003B503B
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
                        • String ID:
                        • API String ID: 1979691958-0
                        • Opcode ID: f090ed3cca793431953dff695392dcbc6e6a71ff78de3ae8b8e4911752dad23a
                        • Instruction ID: aad8e751b5907d0457c505c918bff5cd29c5322af79c4583419cdf6b2e70c07c
                        • Opcode Fuzzy Hash: f090ed3cca793431953dff695392dcbc6e6a71ff78de3ae8b8e4911752dad23a
                        • Instruction Fuzzy Hash: B141E8716007009FD722DF68D949BBAB7F9FF58318F058659E64AC7A52D331F8858B40
                        Function 035BC270 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98filestringCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 035BC2AE
                        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 035BC2CC
                        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 035BC309
                        • CloseHandle.KERNEL32(00000000), ref: 035BC314
                        • lstrlenW.KERNEL32(?), ref: 035BC321
                        • wsprintfW.USER32 ref: 035BC345
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandleWrite_memsetlstrlenwsprintf
                        • String ID: %s %s
                        • API String ID: 1326869720-2939940506
                        • Opcode ID: 014f18b77fdf821ef743c43e23a9511352961e120effe0c6390c2a2c29ef6aeb
                        • Instruction ID: 93413079803e9025d68474bb0274a759d66a0fc4abe7b139b69290ca632cf35b
                        • Opcode Fuzzy Hash: 014f18b77fdf821ef743c43e23a9511352961e120effe0c6390c2a2c29ef6aeb
                        • Instruction Fuzzy Hash: 8031B5326402186BDB24EB64EC85FEFB37CFB45311F80469AB606E6190EA305B45DFA5
                        Function 035BC980 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88processstringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(?), ref: 035BC98D
                        • _wcsrchr.LIBCMT ref: 035BC9C7
                          • Part of subcall function 035B7C80: LoadLibraryW.KERNEL32(wininet.dll), ref: 035B7CC3
                          • Part of subcall function 035B7C80: GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 035B7CD7
                          • Part of subcall function 035B7C80: FreeLibrary.KERNEL32(00000000), ref: 035B7CF7
                        • GetFileAttributesW.KERNEL32(-00000002), ref: 035BC9E6
                        • GetLastError.KERNEL32 ref: 035BC9F1
                        • _memset.LIBCMT ref: 035BCA04
                        • CreateProcessW.KERNEL32(00000000,-00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 035BCA31
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Library$AddressAttributesCreateErrorFileFreeLastLoadProcProcess_memset_wcsrchrlstrlen
                        • String ID: D$WinSta0\Default
                        • API String ID: 174883095-1101385590
                        • Opcode ID: 438673b4c8025bf45b9973e54caa98f0586d7064d7b45dae28c15c797badefb8
                        • Instruction ID: 9e5144d3bf6956e3b9ba25cb40f8dbcab9bfcc6ac8424c469050e69851072667
                        • Opcode Fuzzy Hash: 438673b4c8025bf45b9973e54caa98f0586d7064d7b45dae28c15c797badefb8
                        • Instruction Fuzzy Hash: 7C115BB790124867D724E6E8BC45FFFB77CAB84710F080129FE059A194E635D50582E6
                        Function 035B8159 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 58stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcmpiW.KERNEL32(?,A:\), ref: 035B8166
                        • lstrcmpiW.KERNEL32(?,B:\), ref: 035B8176
                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 035B81A6
                        • lstrlenW.KERNEL32(?), ref: 035B81B7
                        • __wcsnicmp.LIBCMT ref: 035B81CE
                        • lstrcpyW.KERNEL32(00000AD4,?), ref: 035B8204
                        • lstrcpyW.KERNEL32(?,?), ref: 035B8228
                        • lstrcatW.KERNEL32(?,00000000), ref: 035B8233
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcmpilstrcpy$DeviceQuery__wcsnicmplstrcatlstrlen
                        • String ID: A:\$B:\
                        • API String ID: 4249875308-1009255891
                        • Opcode ID: d1d286a1e3665d0342bdc721c16d6f6b07b3d2d8c9a07312b2f2cc9933023e4f
                        • Instruction ID: 852098f6876932b89f039813d3658a344752edfeed34182d43f651ae889de144
                        • Opcode Fuzzy Hash: d1d286a1e3665d0342bdc721c16d6f6b07b3d2d8c9a07312b2f2cc9933023e4f
                        • Instruction Fuzzy Hash: 47115171A02259DBDB24EFA0ED44BEEB378FF44210F044498EE0AB7160E770EA45CB95
                        Function 03434DEF Relevance: 13.9, APIs: 9, Instructions: 440COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: _strcat_s$_memset$__localtime64__time64__wcsnicmp_malloc
                        • String ID:
                        • API String ID: 3592133475-0
                        • Opcode ID: 9612d8c1e5366324d8b9188000d87f817137c3975bf1db378519ae119bbab18c
                        • Instruction ID: a7005342910e96fc03cad72cefd01cb045e92f9e6cb08c4768285c26558c540a
                        • Opcode Fuzzy Hash: 9612d8c1e5366324d8b9188000d87f817137c3975bf1db378519ae119bbab18c
                        • Instruction Fuzzy Hash: D4F1C4B5900304AFD724DBA4CC85FEBB3B8EB49300F40459DE71AAB281EB75A645CF59
                        Function 035B9730 Relevance: 13.7, APIs: 9, Instructions: 195timeCOMMON
                        Download Yara Rule
                        APIs
                        • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,F17FF389,00000000,?,?,?,00000000,035D125B,000000FF,?,035BE04E,00000000), ref: 035B9773
                        • InitializeCriticalSectionAndSpinCount.KERNEL32(035BE1AE,00000000,?,?,?,00000000,035D125B,000000FF,?,035BE04E), ref: 035B9812
                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,035D125B,000000FF,?,035BE04E), ref: 035B9850
                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,035D125B,000000FF,?,035BE04E), ref: 035B9875
                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,035D125B,000000FF,?,035BE04E), ref: 035B989A
                          • Part of subcall function 035B1280: __CxxThrowException@8.LIBCMT ref: 035B1290
                          • Part of subcall function 035B1280: DeleteCriticalSection.KERNEL32(00000000,035BD3E6,035D6624,?,?,035BD3E6,?,?,?,?,035D5A44,00000000), ref: 035B12A1
                          • Part of subcall function 035BCE10: InitializeCriticalSectionAndSpinCount.KERNEL32(035BE076,00000000,F17FF389,035BE04E,75922F60,00000000,?,035BE226,035D110B,000000FF,?,035B994A,035BE226), ref: 035BCE67
                          • Part of subcall function 035BCE10: InitializeCriticalSectionAndSpinCount.KERNEL32(035BE08E,00000000,?,035BE226,035D110B,000000FF,?,035B994A,035BE226,?,?,?,00000000,035D125B,000000FF), ref: 035BCE83
                        • InterlockedExchange.KERNEL32(035BE066,00000000), ref: 035B99A0
                        • timeGetTime.WINMM(?,?,?,00000000,035D125B,000000FF,?,035BE04E), ref: 035B99A6
                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,035D125B,000000FF,?,035BE04E), ref: 035B99B4
                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,035D125B,000000FF,?,035BE04E), ref: 035B99BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateEvent$CriticalSection$CountInitializeSpin$DeleteException@8ExchangeInterlockedThrowTimetime
                        • String ID:
                        • API String ID: 1400036169-0
                        • Opcode ID: 3b9674cb6e508c5821671ad0122deda53ad02f331f8f6912e6e4be55519e1177
                        • Instruction ID: f7e190c2fd5c25890d0796c130ed6bd089142037258801f6463d056c6b162f2e
                        • Opcode Fuzzy Hash: 3b9674cb6e508c5821671ad0122deda53ad02f331f8f6912e6e4be55519e1177
                        • Instruction Fuzzy Hash: 6C81D6B0A01A46BFD354DF6A9884BD6FBA8FB08304F50462EE12C87650D775A964CF90
                        Function 035B3500 Relevance: 13.6, APIs: 9, Instructions: 116COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 035B3660: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 035B3667
                          • Part of subcall function 035B3660: _free.LIBCMT ref: 035B369C
                          • Part of subcall function 035B3660: _malloc.LIBCMT ref: 035B36D7
                          • Part of subcall function 035B3660: _memset.LIBCMT ref: 035B36E5
                        • InterlockedIncrement.KERNEL32(035E1F0C), ref: 035B3565
                        • InterlockedIncrement.KERNEL32(035E1F0C), ref: 035B3573
                        • setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 035B359A
                        • setsockopt.WS2_32(?,0000FFFF,00001002,?,00000004), ref: 035B35B3
                        • ResetEvent.KERNEL32(?,?,?,035E1F0C), ref: 035B35EE
                        • SetLastError.KERNEL32(00000000), ref: 035B3621
                        • GetLastError.KERNEL32 ref: 035B3639
                          • Part of subcall function 035B3F60: GetCurrentThreadId.KERNEL32 ref: 035B3F65
                          • Part of subcall function 035B3F60: send.WS2_32(?,035D49C0,00000010,00000000), ref: 035B3FC6
                          • Part of subcall function 035B3F60: SetEvent.KERNEL32(?), ref: 035B3FE9
                          • Part of subcall function 035B3F60: InterlockedExchange.KERNEL32(?,00000000), ref: 035B3FF5
                          • Part of subcall function 035B3F60: WSACloseEvent.WS2_32(?), ref: 035B4003
                          • Part of subcall function 035B3F60: shutdown.WS2_32(?,00000001), ref: 035B401B
                          • Part of subcall function 035B3F60: closesocket.WS2_32(?), ref: 035B4025
                        • SetLastError.KERNEL32(00000000), ref: 035B3649
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorEventInterlockedLast$Incrementsetsockopt$CloseCreateCurrentExchangeResetThreadTimerWaitable_free_malloc_memsetclosesocketsendshutdown
                        • String ID:
                        • API String ID: 127459856-0
                        • Opcode ID: b146ba35fdd375e69299e8620322677f3669bb532e72d8c467dd694cfa93c2ef
                        • Instruction ID: d9db9b211ffdee16942b06dad9283970d4e0a9d9a45146ea2facaf1531f6ff88
                        • Opcode Fuzzy Hash: b146ba35fdd375e69299e8620322677f3669bb532e72d8c467dd694cfa93c2ef
                        • Instruction Fuzzy Hash: DA41A0B5600704AFD360EF69EC81BAAF7F8FB48701F50482EE646E7690D7B0E4448B90
                        Function 003B34E0 Relevance: 13.6, APIs: 9, Instructions: 116COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 003B3640: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 003B3647
                          • Part of subcall function 003B3640: _free.LIBCMT ref: 003B367C
                          • Part of subcall function 003B3640: _malloc.LIBCMT ref: 003B36B7
                          • Part of subcall function 003B3640: _memset.LIBCMT ref: 003B36C5
                        • InterlockedIncrement.KERNEL32(003CDA88), ref: 003B3545
                        • InterlockedIncrement.KERNEL32(003CDA88), ref: 003B3553
                        • setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 003B357A
                        • setsockopt.WS2_32(?,0000FFFF,00001002,?,00000004), ref: 003B3593
                        • ResetEvent.KERNEL32(?,?,?,003CDA88), ref: 003B35CE
                        • SetLastError.KERNEL32(00000000), ref: 003B3601
                        • GetLastError.KERNEL32 ref: 003B3619
                          • Part of subcall function 003B3F50: GetCurrentThreadId.KERNEL32 ref: 003B3F55
                          • Part of subcall function 003B3F50: send.WS2_32(?,003C7440,00000010,00000000), ref: 003B3FB6
                          • Part of subcall function 003B3F50: SetEvent.KERNEL32(?), ref: 003B3FD9
                          • Part of subcall function 003B3F50: InterlockedExchange.KERNEL32(?,00000000), ref: 003B3FE5
                          • Part of subcall function 003B3F50: WSACloseEvent.WS2_32(?), ref: 003B3FF3
                          • Part of subcall function 003B3F50: shutdown.WS2_32(?,00000001), ref: 003B400B
                          • Part of subcall function 003B3F50: closesocket.WS2_32(?), ref: 003B4015
                        • SetLastError.KERNEL32(00000000), ref: 003B3629
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: ErrorEventInterlockedLast$Incrementsetsockopt$CloseCreateCurrentExchangeResetThreadTimerWaitable_free_malloc_memsetclosesocketsendshutdown
                        • String ID:
                        • API String ID: 127459856-0
                        • Opcode ID: 65b9def74680ebd76c14874008840ae60fd1a75cc2976c8fd491e44cf7219728
                        • Instruction ID: 8a79a09eeefce5c78a869e97b7172fc46822e58a17c1a3b0f8c214f5d0b09ea3
                        • Opcode Fuzzy Hash: 65b9def74680ebd76c14874008840ae60fd1a75cc2976c8fd491e44cf7219728
                        • Instruction Fuzzy Hash: D441A0B1600714AFD361EF69DC81BAAF7E8FB48705F50042EEA46D7A80DBB1F9448B50
                        Function 035B4430 Relevance: 13.6, APIs: 9, Instructions: 93synchronizationtimeCOMMON
                        Download Yara Rule
                        APIs
                        • ResetEvent.KERNEL32(?), ref: 035B4443
                        • ResetEvent.KERNEL32(?), ref: 035B444C
                        • timeGetTime.WINMM ref: 035B444E
                        • InterlockedExchange.KERNEL32(?,00000000), ref: 035B445D
                        • WaitForSingleObject.KERNEL32(?,00001770), ref: 035B44AB
                        • ResetEvent.KERNEL32(?), ref: 035B44C8
                          • Part of subcall function 035B3F60: GetCurrentThreadId.KERNEL32 ref: 035B3F65
                          • Part of subcall function 035B3F60: send.WS2_32(?,035D49C0,00000010,00000000), ref: 035B3FC6
                          • Part of subcall function 035B3F60: SetEvent.KERNEL32(?), ref: 035B3FE9
                          • Part of subcall function 035B3F60: InterlockedExchange.KERNEL32(?,00000000), ref: 035B3FF5
                          • Part of subcall function 035B3F60: WSACloseEvent.WS2_32(?), ref: 035B4003
                          • Part of subcall function 035B3F60: shutdown.WS2_32(?,00000001), ref: 035B401B
                          • Part of subcall function 035B3F60: closesocket.WS2_32(?), ref: 035B4025
                        • ResetEvent.KERNEL32(?), ref: 035B44DC
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Event$Reset$ExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
                        • String ID:
                        • API String ID: 542259498-0
                        • Opcode ID: 0a9abecf6829ffb423c6ebd0834a25ac1a496c966cb606a42d1409bdd867d7f8
                        • Instruction ID: 7fb45253d7b16dd4a3a713f011886c5c01d2d44f2a7653b52578a88c3521a551
                        • Opcode Fuzzy Hash: 0a9abecf6829ffb423c6ebd0834a25ac1a496c966cb606a42d1409bdd867d7f8
                        • Instruction Fuzzy Hash: 392161766047046BC230EF79EC85E97B3F8FF89710F104A1EE58AC7650D671E4159BA0
                        Function 003B4420 Relevance: 13.6, APIs: 9, Instructions: 93synchronizationtimeCOMMON
                        Download Yara Rule
                        APIs
                        • ResetEvent.KERNEL32(?), ref: 003B4433
                        • ResetEvent.KERNEL32(?), ref: 003B443C
                        • timeGetTime.WINMM ref: 003B443E
                        • InterlockedExchange.KERNEL32(?,00000000), ref: 003B444D
                        • WaitForSingleObject.KERNEL32(?,00001770), ref: 003B449B
                        • ResetEvent.KERNEL32(?), ref: 003B44B8
                          • Part of subcall function 003B3F50: GetCurrentThreadId.KERNEL32 ref: 003B3F55
                          • Part of subcall function 003B3F50: send.WS2_32(?,003C7440,00000010,00000000), ref: 003B3FB6
                          • Part of subcall function 003B3F50: SetEvent.KERNEL32(?), ref: 003B3FD9
                          • Part of subcall function 003B3F50: InterlockedExchange.KERNEL32(?,00000000), ref: 003B3FE5
                          • Part of subcall function 003B3F50: WSACloseEvent.WS2_32(?), ref: 003B3FF3
                          • Part of subcall function 003B3F50: shutdown.WS2_32(?,00000001), ref: 003B400B
                          • Part of subcall function 003B3F50: closesocket.WS2_32(?), ref: 003B4015
                        • ResetEvent.KERNEL32(?), ref: 003B44CC
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: Event$Reset$ExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
                        • String ID:
                        • API String ID: 542259498-0
                        • Opcode ID: 8e73ecf4cd6ec2b8326e23eb8cafedafefeec3763de6ca8e7ef6910b4f5b48c8
                        • Instruction ID: 3516949d4907078927ce7e47e5cc95267285e211814df544ced2f993a47cbff5
                        • Opcode Fuzzy Hash: 8e73ecf4cd6ec2b8326e23eb8cafedafefeec3763de6ca8e7ef6910b4f5b48c8
                        • Instruction Fuzzy Hash: 70216F76600B146BC631EF69DC85F9BB3E8EF89710F100A1EF68AC7651D671B8408BA5
                        Function 035B4E80 Relevance: 13.6, APIs: 9, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        • SetLastError.KERNEL32(0000139F,?), ref: 035B4E99
                        • TryEnterCriticalSection.KERNEL32(?,?), ref: 035B4EB8
                        • TryEnterCriticalSection.KERNEL32(?), ref: 035B4EC2
                        • SetLastError.KERNEL32(0000139F), ref: 035B4ED9
                        • LeaveCriticalSection.KERNEL32(?), ref: 035B4EE2
                        • LeaveCriticalSection.KERNEL32(?), ref: 035B4EE9
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterErrorLastLeave
                        • String ID:
                        • API String ID: 4082018349-0
                        • Opcode ID: 9eed5fd39b4793e213ba758026ec68a6fc269f10f00231f4556e85ff42701691
                        • Instruction ID: 9ca88a4e19758a4f79517dfada696706a7af5e44e07c594fa8dd9920c5840348
                        • Opcode Fuzzy Hash: 9eed5fd39b4793e213ba758026ec68a6fc269f10f00231f4556e85ff42701691
                        • Instruction Fuzzy Hash: 461163726013058BD330EAAEFC849ABF3F8FB88211F04092EE605C3560D671D815C6A6
                        Function 003B4E70 Relevance: 13.6, APIs: 9, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        • SetLastError.KERNEL32(0000139F,?), ref: 003B4E89
                        • TryEnterCriticalSection.KERNEL32(?,?), ref: 003B4EA8
                        • TryEnterCriticalSection.KERNEL32(?), ref: 003B4EB2
                        • SetLastError.KERNEL32(0000139F), ref: 003B4EC9
                        • LeaveCriticalSection.KERNEL32(?), ref: 003B4ED2
                        • LeaveCriticalSection.KERNEL32(?), ref: 003B4ED9
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: CriticalSection$EnterErrorLastLeave
                        • String ID:
                        • API String ID: 4082018349-0
                        • Opcode ID: 78a7f3d74987b869d68beb38d8add446c5ee0a7ddf956b1553499ee8ab00e66b
                        • Instruction ID: 8e589e5ee3bd6047db9e120bb2f1867db8423228acd4f12abafb6190125804c6
                        • Opcode Fuzzy Hash: 78a7f3d74987b869d68beb38d8add446c5ee0a7ddf956b1553499ee8ab00e66b
                        • Instruction Fuzzy Hash: 8F1186727007148BC321EF7DEC859ABB3ECFB88325B40062AE605C7951D671F844C7A5
                        Function 035BDD10 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132COMMON
                        Download Yara Rule
                        APIs
                        • SetLastError.KERNEL32(0000007F), ref: 035BDD32
                        • SetLastError.KERNEL32(0000007F), ref: 035BDE35
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast
                        • String ID: Main
                        • API String ID: 1452528299-521822810
                        • Opcode ID: 22ca5e5475bafa06b2545e1233a0fd083eb9a13277945f8ec40202ff75d1855d
                        • Instruction ID: e820853d56bbdd53537d17c64a34fcd9f8af5e42644598c74fb5fc5667b86095
                        • Opcode Fuzzy Hash: 22ca5e5475bafa06b2545e1233a0fd083eb9a13277945f8ec40202ff75d1855d
                        • Instruction Fuzzy Hash: 9241AF31A40209DFD720DF58EC81BAAB3F8FF94314F1846A9E8498B361E771E955CB90
                        Function 035B3F60 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 035B3F65
                        • SetLastError.KERNEL32(0000139F,?,7591DFA0,035B3648), ref: 035B4054
                          • Part of subcall function 035B2BC0: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 035B2BD6
                          • Part of subcall function 035B2BC0: SwitchToThread.KERNEL32 ref: 035B2BEA
                        • send.WS2_32(?,035D49C0,00000010,00000000), ref: 035B3FC6
                        • SetEvent.KERNEL32(?), ref: 035B3FE9
                        • InterlockedExchange.KERNEL32(?,00000000), ref: 035B3FF5
                        • WSACloseEvent.WS2_32(?), ref: 035B4003
                        • shutdown.WS2_32(?,00000001), ref: 035B401B
                        • closesocket.WS2_32(?), ref: 035B4025
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: EventExchangeInterlockedThread$CloseCompareCurrentErrorLastSwitchclosesocketsendshutdown
                        • String ID:
                        • API String ID: 3254528666-0
                        • Opcode ID: 93fbcff952faa4fa77fb30b15979422f244ea5d7b23d4704223c806cf614ee04
                        • Instruction ID: d9758b12e07cb7ab746c27fee523d5149e0ce86b45de5e08274f4838f10410da
                        • Opcode Fuzzy Hash: 93fbcff952faa4fa77fb30b15979422f244ea5d7b23d4704223c806cf614ee04
                        • Instruction Fuzzy Hash: FC212C752007009BD330EF69E888B9BB7F9BB84711F144D1CF2929BAA0C7B9E455DB50
                        Function 003B3F50 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 003B3F55
                        • SetLastError.KERNEL32(0000139F,?,7591DFA0,003B3628), ref: 003B4044
                          • Part of subcall function 003B2B80: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 003B2B96
                          • Part of subcall function 003B2B80: SwitchToThread.KERNEL32 ref: 003B2BAA
                        • send.WS2_32(?,003C7440,00000010,00000000), ref: 003B3FB6
                        • SetEvent.KERNEL32(?), ref: 003B3FD9
                        • InterlockedExchange.KERNEL32(?,00000000), ref: 003B3FE5
                        • WSACloseEvent.WS2_32(?), ref: 003B3FF3
                        • shutdown.WS2_32(?,00000001), ref: 003B400B
                        • closesocket.WS2_32(?), ref: 003B4015
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: EventExchangeInterlockedThread$CloseCompareCurrentErrorLastSwitchclosesocketsendshutdown
                        • String ID:
                        • API String ID: 3254528666-0
                        • Opcode ID: 26b5efdd05879136fce91befaf87b72ee55de0f585f72292586a85ccabdbbee2
                        • Instruction ID: 719227e6c9b8875a3e1d1a9e3714a0ee31a18962314b00adb41c5d9fa0fff477
                        • Opcode Fuzzy Hash: 26b5efdd05879136fce91befaf87b72ee55de0f585f72292586a85ccabdbbee2
                        • Instruction Fuzzy Hash: 55217A71200B109BD332AF68D888B9BB7F9BB44719F04090CF292CBA91C7B5F845CB90
                        Function 035B4060 Relevance: 12.1, APIs: 8, Instructions: 78memoryCOMMON
                        Download Yara Rule
                        APIs
                        • EnterCriticalSection.KERNEL32(?,?,00000000,035B4039,?,7591DFA0,035B3648), ref: 035B4074
                        • ResetEvent.KERNEL32(?,?,00000000,035B4039,?,7591DFA0,035B3648), ref: 035B4087
                        • ResetEvent.KERNEL32(?,?,00000000,035B4039,?,7591DFA0,035B3648), ref: 035B4090
                        • ResetEvent.KERNEL32(?,?,00000000,035B4039,?,7591DFA0,035B3648), ref: 035B4099
                          • Part of subcall function 035B1350: HeapFree.KERNEL32(?,00000000,?,?,?,035B40A6,?,00000000,035B4039,?,7591DFA0,035B3648), ref: 035B1390
                          • Part of subcall function 035B1420: HeapFree.KERNEL32(?,00000000,?,?,?,035B40B1,?,00000000,035B4039,?,7591DFA0,035B3648), ref: 035B143D
                          • Part of subcall function 035B1420: _free.LIBCMT ref: 035B1459
                        • HeapDestroy.KERNEL32(?,?,00000000,035B4039,?,7591DFA0,035B3648), ref: 035B40B9
                        • HeapCreate.KERNEL32(?,?,?,?,00000000,035B4039,?,7591DFA0,035B3648), ref: 035B40D4
                        • SetEvent.KERNEL32(?,?,00000000,035B4039,?,7591DFA0,035B3648), ref: 035B4150
                        • LeaveCriticalSection.KERNEL32(?,?,00000000,035B4039,?,7591DFA0,035B3648), ref: 035B4157
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: EventHeap$Reset$CriticalFreeSection$CreateDestroyEnterLeave_free
                        • String ID:
                        • API String ID: 1219087420-0
                        • Opcode ID: b26cc73237884edd48757b75992aae03a2664d3fc349241902d47b47427cffb0
                        • Instruction ID: 27e72b6725c847439ceb14bb8c2bc67626b424b263eef696b6eba077f73d1d58
                        • Opcode Fuzzy Hash: b26cc73237884edd48757b75992aae03a2664d3fc349241902d47b47427cffb0
                        • Instruction Fuzzy Hash: 81316974601A06AFC714DF35E858BA6F7B8FF48310F048649E4298B260CB35B915CFE0
                        Function 003B4050 Relevance: 12.1, APIs: 8, Instructions: 78memoryCOMMON
                        Download Yara Rule
                        APIs
                        • EnterCriticalSection.KERNEL32(?,?,00000000,003B4029,?,7591DFA0,003B3628), ref: 003B4064
                        • ResetEvent.KERNEL32(?,?,00000000,003B4029,?,7591DFA0,003B3628), ref: 003B4077
                        • ResetEvent.KERNEL32(?,?,00000000,003B4029,?,7591DFA0,003B3628), ref: 003B4080
                        • ResetEvent.KERNEL32(?,?,00000000,003B4029,?,7591DFA0,003B3628), ref: 003B4089
                          • Part of subcall function 003B1350: HeapFree.KERNEL32(?,00000000,?,?,?,003B4096,?,00000000,003B4029,?,7591DFA0,003B3628), ref: 003B1390
                          • Part of subcall function 003B1420: HeapFree.KERNEL32(?,00000000,?,?,?,003B40A1,?,00000000,003B4029,?,7591DFA0,003B3628), ref: 003B143D
                          • Part of subcall function 003B1420: _free.LIBCMT ref: 003B1459
                        • HeapDestroy.KERNEL32(?,?,00000000,003B4029,?,7591DFA0,003B3628), ref: 003B40A9
                        • HeapCreate.KERNEL32(?,?,?,?,00000000,003B4029,?,7591DFA0,003B3628), ref: 003B40C4
                        • SetEvent.KERNEL32(?,?,00000000,003B4029,?,7591DFA0,003B3628), ref: 003B4140
                        • LeaveCriticalSection.KERNEL32(?,?,00000000,003B4029,?,7591DFA0,003B3628), ref: 003B4147
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: EventHeap$Reset$CriticalFreeSection$CreateDestroyEnterLeave_free
                        • String ID:
                        • API String ID: 1219087420-0
                        • Opcode ID: 1a2fac5c9b999159efd56eb81f885e2f05aafa9c3f35c3b2a1939a4ae0850df8
                        • Instruction ID: 3b052ccc38c3ab284afc3d204b24062f1e7228ad5d42d995911e300e9ea15086
                        • Opcode Fuzzy Hash: 1a2fac5c9b999159efd56eb81f885e2f05aafa9c3f35c3b2a1939a4ae0850df8
                        • Instruction Fuzzy Hash: EE310370600A06AFD706DB28C898B96F7A8FF48314F148259E629CB661CB35B895CFD0
                        Function 0343B62F Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 351COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: _memset$_malloc
                        • String ID: ($6$gfff$gfff
                        • API String ID: 3506388080-713438465
                        • Opcode ID: 33456ebb2468a608b7ebcfb11b4406d8d4d11a59d9dc549158e7697d941f46b7
                        • Instruction ID: fae1f90e6f39444a90591542c8d113dd61ebdce4b4542b967036a3e312dc3107
                        • Opcode Fuzzy Hash: 33456ebb2468a608b7ebcfb11b4406d8d4d11a59d9dc549158e7697d941f46b7
                        • Instruction Fuzzy Hash: ACD18BB1E01318AFEB14EFE6D885A9EBBB9FF49300F10402AE505AB351D770A945CF95
                        Function 035B2140 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 303COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 035B1610: __vswprintf.LIBCMT ref: 035B1646
                        • _malloc.LIBCMT ref: 035B2330
                          • Part of subcall function 035BF673: __FF_MSGBANNER.LIBCMT ref: 035BF68C
                          • Part of subcall function 035BF673: __NMSG_WRITE.LIBCMT ref: 035BF693
                          • Part of subcall function 035BF673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,035C4500,00000000,00000001,00000000,?,035C8DE6,00000018,035D6448,0000000C,035C8E76), ref: 035BF6B8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap__vswprintf_malloc
                        • String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
                        • API String ID: 3723585974-868042568
                        • Opcode ID: 2a82d7a2476e5fa470a5f5f2f892d5a560add109bb9fcb91af4c03fcc6faf6ae
                        • Instruction ID: fdea4a71c4ad2da836f26bf458b6eacf610928d31b91addc3a753e63c89569ac
                        • Opcode Fuzzy Hash: 2a82d7a2476e5fa470a5f5f2f892d5a560add109bb9fcb91af4c03fcc6faf6ae
                        • Instruction Fuzzy Hash: BAB1A375A002058FCF18CF68E8916EAB7B5BF84310F0849AEDD599F766D731D941CBA0
                        Function 003B2140 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 303COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 003B1610: __vswprintf.LIBCMT ref: 003B1646
                        • _malloc.LIBCMT ref: 003B2330
                          • Part of subcall function 003B7043: __FF_MSGBANNER.LIBCMT ref: 003B705C
                          • Part of subcall function 003B7043: __NMSG_WRITE.LIBCMT ref: 003B7063
                          • Part of subcall function 003B7043: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,003BA0B0,?,00000001,?,?,003BC10B,00000018,003C7C70,0000000C,003BC19B), ref: 003B7088
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: AllocateHeap__vswprintf_malloc
                        • String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
                        • API String ID: 3723585974-868042568
                        • Opcode ID: 5cfaf5f6db9b4efa9bb0105af02f84de0f76dd1862708a961740e6aba92d6d0d
                        • Instruction ID: b7c4f0e612f7778e570c116dea4595da415e1f67e936b21ce8e053f0f62984fb
                        • Opcode Fuzzy Hash: 5cfaf5f6db9b4efa9bb0105af02f84de0f76dd1862708a961740e6aba92d6d0d
                        • Instruction Fuzzy Hash: EFB1C275A002058BCB19CF69C891AEB7BA5BF84318F09466EEE09DFB46D731DD41CB90
                        Function 0343980F Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 302COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$_malloc_memcpy_s
                        • String ID: &
                        • API String ID: 3027343870-3042966939
                        • Opcode ID: bc8e6e112c061139a9596f3240d429f853c34e8cae2830de5eda6c03f43a5e61
                        • Instruction ID: 0463b15b3bc8b130c82f7e9ec022a94aa89dbc07dbb79add56523cb014da99db
                        • Opcode Fuzzy Hash: bc8e6e112c061139a9596f3240d429f853c34e8cae2830de5eda6c03f43a5e61
                        • Instruction Fuzzy Hash: C8C141B1A002199FDB24DF55CCC0BAAB7B8EF4D300F1485AED619AB341D774AA85CF58
                        Function 035B1830 Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 035B1878
                        • _free.LIBCMT ref: 035B18B6
                        • _free.LIBCMT ref: 035B18F5
                        • _free.LIBCMT ref: 035B1935
                        • _free.LIBCMT ref: 035B195D
                        • _free.LIBCMT ref: 035B1981
                        • _free.LIBCMT ref: 035B19B9
                          • Part of subcall function 035BF639: RtlFreeHeap.NTDLL(00000000,00000000,?,035C3E4C,00000000,?,035C4500,00000000,00000001,00000000,?,035C8DE6,00000018,035D6448,0000000C,035C8E76), ref: 035BF64F
                          • Part of subcall function 035BF639: GetLastError.KERNEL32(00000000,?,035C3E4C,00000000,?,035C4500,00000000,00000001,00000000,?,035C8DE6,00000018,035D6448,0000000C,035C8E76,00000000), ref: 035BF661
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 64ec968d8bac19bd26bdeaf8685a69d3ecfad544a72aa44231127779a6003708
                        • Instruction ID: 77ec5696fd9a7619ffb6d09654e160b357f0252c034ec974e7edcf1177fa4a87
                        • Opcode Fuzzy Hash: 64ec968d8bac19bd26bdeaf8685a69d3ecfad544a72aa44231127779a6003708
                        • Instruction Fuzzy Hash: 2E516CB6A00651CFC704DF58E5948A9BBB6FF8931472980ADD50A9F331C732AE02CF91
                        Function 034311EF Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free
                        • String ID:
                        • API String ID: 269201875-0
                        • Opcode ID: e6d8705c8b2e074a591befd5bcc494b5e10d3bbe54f6e4032036311d5e0cbfeb
                        • Instruction ID: f7fc659061e124975003cf2be8ef39c534743d7cfd8c1c672a639840d01ed17c
                        • Opcode Fuzzy Hash: e6d8705c8b2e074a591befd5bcc494b5e10d3bbe54f6e4032036311d5e0cbfeb
                        • Instruction Fuzzy Hash: 3E5160B6600210DFD710EF49C5C08A9BBB6BF8E25472980AED619AF321C731AC42CB95
                        Function 003B1830 Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 003B1878
                        • _free.LIBCMT ref: 003B18B6
                        • _free.LIBCMT ref: 003B18F5
                        • _free.LIBCMT ref: 003B1935
                        • _free.LIBCMT ref: 003B195D
                        • _free.LIBCMT ref: 003B1981
                        • _free.LIBCMT ref: 003B19B9
                          • Part of subcall function 003B7009: HeapFree.KERNEL32(00000000,00000000,?,003B9A24,00000000,?,?,?,?,?,?,003BAF67,?,?,E07698D6,00000000), ref: 003B701F
                          • Part of subcall function 003B7009: GetLastError.KERNEL32(00000000,?,003B9A24,00000000,?,?,?,?,?,?,003BAF67,?,?,E07698D6,00000000), ref: 003B7031
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: d2103a739d43fa6c6942ad960b63403ba42d9ca84ebed135618f03169b854fe1
                        • Instruction ID: 9f67d6fc9e299b1ba8f60bb1e0716e70866eb2f0bdca4c75343ef62948059a32
                        • Opcode Fuzzy Hash: d2103a739d43fa6c6942ad960b63403ba42d9ca84ebed135618f03169b854fe1
                        • Instruction Fuzzy Hash: 185173B2A00115CFC706DF48D4A4895B7B6FF89318B6A806ED60A9F721C732BC02CBD1
                        Function 035B3870 Relevance: 10.6, APIs: 7, Instructions: 149threadnetworktimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 035B3883
                        • SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 035B38C4
                        • WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 035B3931
                        • GetCurrentThreadId.KERNEL32 ref: 035B395C
                        • GetLastError.KERNEL32(?,00000000,000000FF,00000000), ref: 035B39F4
                        • SetLastError.KERNEL32(0000139F,?,00000000,000000FF,00000000), ref: 035B3A22
                        • WSAGetLastError.WS2_32(?,00000000,000000FF,00000000), ref: 035B3A39
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$CurrentThread$EventsMultipleTimerWaitWaitable
                        • String ID:
                        • API String ID: 3058130114-0
                        • Opcode ID: 760303da0596dfc2d2f5672fb20867064f15551ddf15355a223996c89829acb7
                        • Instruction ID: 5eab771882c09b0b0bc9cc1d29ac72edf1ec93d476eb96e443b7ba4722da7cd5
                        • Opcode Fuzzy Hash: 760303da0596dfc2d2f5672fb20867064f15551ddf15355a223996c89829acb7
                        • Instruction Fuzzy Hash: 695190786007019BDB30DF64E984BEAB7F8BF44714F144929D95AEB6A0DB30F544CB51
                        Function 003B3850 Relevance: 10.6, APIs: 7, Instructions: 149threadnetworktimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 003B3863
                        • SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 003B38A4
                        • WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 003B3911
                        • GetCurrentThreadId.KERNEL32 ref: 003B393C
                        • GetLastError.KERNEL32(?,00000000,000000FF,00000000), ref: 003B39D4
                        • SetLastError.KERNEL32(0000139F,?,00000000,000000FF,00000000), ref: 003B3A02
                        • WSAGetLastError.WS2_32(?,00000000,000000FF,00000000), ref: 003B3A19
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: ErrorLast$CurrentThread$EventsMultipleTimerWaitWaitable
                        • String ID:
                        • API String ID: 3058130114-0
                        • Opcode ID: 9a410fe0bd853a8f802650fcf1003fbe7817b802d0e0f20be69ec1faffc58c33
                        • Instruction ID: 5c040f243901baa5db65301fb1f5ef28babea42d6eff92a76d2f837dff504a6c
                        • Opcode Fuzzy Hash: 9a410fe0bd853a8f802650fcf1003fbe7817b802d0e0f20be69ec1faffc58c33
                        • Instruction Fuzzy Hash: 53518170600B109BD7629F28CD85BEAB7E8FF04718F514919EA56DBE81DBB0FA40CB51
                        Function 003B3C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 98networkCOMMON
                        Download Yara Rule
                        APIs
                        • recv.WS2_32(?,?,00000598,00000000), ref: 003B3C9F
                        • SetLastError.KERNEL32(00000000,?,?,003B397F,?,?,00000000,000000FF,00000000), ref: 003B3CDA
                        • GetLastError.KERNEL32(00000000), ref: 003B3D25
                        • WSAGetLastError.WS2_32(?,?,003B397F,?,?,00000000,000000FF,00000000), ref: 003B3D5B
                        • WSASetLastError.WS2_32(0000000D,?,?,003B397F,?,?,00000000,000000FF,00000000), ref: 003B3D82
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: ErrorLast$recv
                        • String ID: @t<
                        • API String ID: 316788870-3957822631
                        • Opcode ID: 9e4012dc962a1adc4bc98646eec8fff5d8199d457e075fc7e99b490ea829bef3
                        • Instruction ID: 0cf8ca8ed16fa17203dbc79fdca33740003855ec8bc29473bec20d27e17ad9a8
                        • Opcode Fuzzy Hash: 9e4012dc962a1adc4bc98646eec8fff5d8199d457e075fc7e99b490ea829bef3
                        • Instruction Fuzzy Hash: CB310A726042109FEB569F68D8C8BE93BA8FB44328F11012AEF05DFA55D731ED808B51
                        Function 035BE6B0 Relevance: 10.5, APIs: 7, Instructions: 44filesynchronizationstringCOMMON
                        Download Yara Rule
                        APIs
                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,?,035BE815,?,?,?,?,759223A0,00000000), ref: 035BE6BD
                        • CreateFileW.KERNEL32(035E0D80,40000000,00000002,00000000,00000004,00000002,00000000,?,?,035BE815,?,?,?,?,759223A0,00000000), ref: 035BE6D7
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 035BE6F2
                        • lstrlenW.KERNEL32(?,00000000,00000000), ref: 035BE6FF
                        • WriteFile.KERNEL32(00000000,?,00000000), ref: 035BE70A
                        • CloseHandle.KERNEL32(00000000), ref: 035BE711
                        • ReleaseMutex.KERNEL32(00000000), ref: 035BE71E
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandleMutexObjectPointerReleaseSingleWaitWritelstrlen
                        • String ID:
                        • API String ID: 4202892810-0
                        • Opcode ID: 406dacb303f514be607ed0b78af1e26b3a7a2cf2f8a506651fb6f73439b0501f
                        • Instruction ID: c991f124d1c712d111ae55dee084a7ad79dde08dea9f8e09265c827b07a2775b
                        • Opcode Fuzzy Hash: 406dacb303f514be607ed0b78af1e26b3a7a2cf2f8a506651fb6f73439b0501f
                        • Instruction Fuzzy Hash: 5801A471282214BBE2347BA4FC0EF9A376CEB09B21F104604F725E61E4D6B06926E765
                        Function 035C3D2E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,035D6318,00000008,035C3E36,00000000,00000000,?,035C4500,00000000,00000001,00000000,?,035C8DE6,00000018,035D6448,0000000C), ref: 035C3D3F
                        • __lock.LIBCMT ref: 035C3D73
                          • Part of subcall function 035C8E5B: __mtinitlocknum.LIBCMT ref: 035C8E71
                          • Part of subcall function 035C8E5B: __amsg_exit.LIBCMT ref: 035C8E7D
                          • Part of subcall function 035C8E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,035C3F06,0000000D,035D6340,00000008,035C3FFF,00000000,?,035C10F0,00000000,035D6278,00000008,035C1155,?), ref: 035C8E85
                        • InterlockedIncrement.KERNEL32(?), ref: 035C3D80
                        • __lock.LIBCMT ref: 035C3D94
                        • ___addlocaleref.LIBCMT ref: 035C3DB2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                        • String ID: KERNEL32.DLL
                        • API String ID: 637971194-2576044830
                        • Opcode ID: bfdaa6ef92c845919c2bbc3327ea77a461386f364ddbb369b2681bfc20b6304f
                        • Instruction ID: fb9d547982aa4b8040ec2395e0069dd290dd803c3b078509ec8a739a8908cceb
                        • Opcode Fuzzy Hash: bfdaa6ef92c845919c2bbc3327ea77a461386f364ddbb369b2681bfc20b6304f
                        • Instruction Fuzzy Hash: B0016179511742EFD730EFA9E414749BBF0BF80718F10890DD4965B6B0CB78A545CB25
                        Function 003B9906 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,003C7C00,00000008,003B9A0E,00000000,00000000,?,?,?,?,?,?,003BAF67,?,?,E07698D6), ref: 003B9917
                        • __lock.LIBCMT ref: 003B994B
                          • Part of subcall function 003BC180: __mtinitlocknum.LIBCMT ref: 003BC196
                          • Part of subcall function 003BC180: __amsg_exit.LIBCMT ref: 003BC1A2
                          • Part of subcall function 003BC180: EnterCriticalSection.KERNEL32(?,?,?,003B9950,0000000D), ref: 003BC1AA
                        • InterlockedIncrement.KERNEL32(003C9720), ref: 003B9958
                        • __lock.LIBCMT ref: 003B996C
                        • ___addlocaleref.LIBCMT ref: 003B998A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                        • String ID: KERNEL32.DLL
                        • API String ID: 637971194-2576044830
                        • Opcode ID: e3b3d4872b0a335f82915aa6b92f98918eba7723d7563479eeffe44a0bb95ab6
                        • Instruction ID: 139f46d143e480d1fd9bd3da9464848cd16d5b0b413c15c4495418af5db23fca
                        • Opcode Fuzzy Hash: e3b3d4872b0a335f82915aa6b92f98918eba7723d7563479eeffe44a0bb95ab6
                        • Instruction Fuzzy Hash: BB01A171405B00EED7229F79C849B89FBE4AF50319F10850EE695DAAA1CBB4B940CB54
                        Function 035BB78C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002), ref: 035BB7A7
                        • RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 035BB7B7
                        • RegSetValueExW.ADVAPI32(?,IpDatespecial,00000000,00000003,?,00000004), ref: 035BB7CE
                        • RegCloseKey.ADVAPI32(?,?,00000004), ref: 035BB7D9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Value$CloseDeleteOpen
                        • String ID: Console$IpDatespecial
                        • API String ID: 3183427449-1840232981
                        • Opcode ID: 641a826f380647e5d00564f5cf848ad8a86d36f3431ad46efddca6810c7b9de4
                        • Instruction ID: 9a4612f13ebc40284e5d243e675de14702c288dc851c470bf87820be6faa87ce
                        • Opcode Fuzzy Hash: 641a826f380647e5d00564f5cf848ad8a86d36f3431ad46efddca6810c7b9de4
                        • Instruction Fuzzy Hash: 63F0A772345340BFD3349764BC4FF5ABB54FB8D705F104E0DB744691D197609115D662
                        Function 035D02FC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 035D031D
                          • Part of subcall function 035C3E5B: __getptd_noexit.LIBCMT ref: 035C3E5E
                          • Part of subcall function 035C3E5B: __amsg_exit.LIBCMT ref: 035C3E6B
                        • __getptd.LIBCMT ref: 035D032E
                        • __getptd.LIBCMT ref: 035D033C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: __getptd$__amsg_exit__getptd_noexit
                        • String ID: MOC$RCC$csm
                        • API String ID: 803148776-2671469338
                        • Opcode ID: a1f0d33c8d38bd48e94782b4de51ff7935ea793739f44933f6f473294c896614
                        • Instruction ID: 05694a5140d6b8a24352adde29fb30d1e52c41df11fd3bd09d5a29348af6c11b
                        • Opcode Fuzzy Hash: a1f0d33c8d38bd48e94782b4de51ff7935ea793739f44933f6f473294c896614
                        • Instruction Fuzzy Hash: D0E01238510249CFC730E7ACE04AB6837E9BB84618F5944A5D40CCF671C738D4908642
                        Function 003C33C1 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 003C33E2
                          • Part of subcall function 003B9A33: __getptd_noexit.LIBCMT ref: 003B9A36
                          • Part of subcall function 003B9A33: __amsg_exit.LIBCMT ref: 003B9A43
                        • __getptd.LIBCMT ref: 003C33F3
                        • __getptd.LIBCMT ref: 003C3401
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: __getptd$__amsg_exit__getptd_noexit
                        • String ID: MOC$RCC$csm
                        • API String ID: 803148776-2671469338
                        • Opcode ID: 8149de7511cd4e6ff05cba69110b733c41889b0d36a929712ecf72fb4e9677b7
                        • Instruction ID: e7af9319cef45a5f26d5347e3ba85930d74f713e869b39244b80340f914ac399
                        • Opcode Fuzzy Hash: 8149de7511cd4e6ff05cba69110b733c41889b0d36a929712ecf72fb4e9677b7
                        • Instruction Fuzzy Hash: C1E01234218104CFC726B764C04ABA837D4FB8C318F9680E6EA4DCF622CB38DE515742
                        Function 035B9C30 Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                        Download Yara Rule
                        APIs
                        • _malloc.LIBCMT ref: 035B9C3F
                          • Part of subcall function 035BF673: __FF_MSGBANNER.LIBCMT ref: 035BF68C
                          • Part of subcall function 035BF673: __NMSG_WRITE.LIBCMT ref: 035BF693
                          • Part of subcall function 035BF673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,035C4500,00000000,00000001,00000000,?,035C8DE6,00000018,035D6448,0000000C,035C8E76), ref: 035BF6B8
                        • _free.LIBCMT ref: 035B9C63
                        • _memset.LIBCMT ref: 035B9CBB
                          • Part of subcall function 035BA610: GetObjectW.GDI32(?,00000054,?), ref: 035BA62E
                        • CreateDIBSection.GDI32(00000000,00000008,00000000,00000000,00000000,00000000), ref: 035B9CD3
                        • _free.LIBCMT ref: 035B9CE4
                        • _free.LIBCMT ref: 035B9D23
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$AllocateCreateHeapObjectSection_malloc_memset
                        • String ID:
                        • API String ID: 1756752955-0
                        • Opcode ID: db72aac25337d002d568248bdfa3ad9880ff9096f2968e8bd20384aca378f5fe
                        • Instruction ID: 10612996828bf17b8fe97ef41cbb927a146240fb675f2d0a0afda6670577cda9
                        • Opcode Fuzzy Hash: db72aac25337d002d568248bdfa3ad9880ff9096f2968e8bd20384aca378f5fe
                        • Instruction Fuzzy Hash: 7231A2B26007066BE710DF6AE880B96B7F8FB49310F04853ADA09CB660E7B1E554CBD5
                        Function 035B5080 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON
                        Download Yara Rule
                        APIs
                        • EnterCriticalSection.KERNEL32(000002FF), ref: 035B50CA
                        • WSASetLastError.WS2_32(0000139F), ref: 035B50E2
                        • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000,000000FF), ref: 035B50EC
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterErrorLastLeave
                        • String ID:
                        • API String ID: 4082018349-0
                        • Opcode ID: 739830a84ebce851d8d3ea0e94f5fbf4c97a10c20690edcdc87f94a6f6ad9836
                        • Instruction ID: b5ac952524c58d0995c2bfce1cd88c8530a8f51a0e2b8424b5464fc4a507a00d
                        • Opcode Fuzzy Hash: 739830a84ebce851d8d3ea0e94f5fbf4c97a10c20690edcdc87f94a6f6ad9836
                        • Instruction Fuzzy Hash: C231BE76A04748ABD724DF54E886FAAB3F8FB49710F00495EF916C7690E736A810CB50
                        Function 003B5070 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON
                        Download Yara Rule
                        APIs
                        • EnterCriticalSection.KERNEL32(000002FF), ref: 003B50BA
                        • WSASetLastError.WS2_32(0000139F), ref: 003B50D2
                        • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000,000000FF), ref: 003B50DC
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: CriticalSection$EnterErrorLastLeave
                        • String ID:
                        • API String ID: 4082018349-0
                        • Opcode ID: 67b120fd05cf0da2e4028a29ebd5e8a3a3430c57522960fdd4e836ac064ee4c7
                        • Instruction ID: f7aa2bdf5aa812f2e240c6146aa5d49bc5be576c53b8157f1e38221611189b94
                        • Opcode Fuzzy Hash: 67b120fd05cf0da2e4028a29ebd5e8a3a3430c57522960fdd4e836ac064ee4c7
                        • Instruction Fuzzy Hash: EB316276A04A44ABD712CF59DD45FAAB3E8FB48714F10451AFA15C7B81D736B800CB90
                        Function 035D05AE Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __CreateFrameInfo.LIBCMT ref: 035D05D6
                          • Part of subcall function 035D00B7: __getptd.LIBCMT ref: 035D00C5
                          • Part of subcall function 035D00B7: __getptd.LIBCMT ref: 035D00D3
                        • __getptd.LIBCMT ref: 035D05E0
                          • Part of subcall function 035C3E5B: __getptd_noexit.LIBCMT ref: 035C3E5E
                          • Part of subcall function 035C3E5B: __amsg_exit.LIBCMT ref: 035C3E6B
                        • __getptd.LIBCMT ref: 035D05EE
                        • __getptd.LIBCMT ref: 035D05FC
                        • __getptd.LIBCMT ref: 035D0607
                        • _CallCatchBlock2.LIBCMT ref: 035D062D
                          • Part of subcall function 035D015C: __CallSettingFrame@12.LIBCMT ref: 035D01A8
                          • Part of subcall function 035D06D4: __getptd.LIBCMT ref: 035D06E3
                          • Part of subcall function 035D06D4: __getptd.LIBCMT ref: 035D06F1
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                        • String ID:
                        • API String ID: 1602911419-0
                        • Opcode ID: bc6d92466165bbcb37097b9e4b5929f7206b61759c29b1f01b64bb972fe9b9d3
                        • Instruction ID: 8a64005ef0530083a2bd13f7067075b85777ee6743000b6f3f31800125c25dad
                        • Opcode Fuzzy Hash: bc6d92466165bbcb37097b9e4b5929f7206b61759c29b1f01b64bb972fe9b9d3
                        • Instruction Fuzzy Hash: 4511D7B9D1034ADFDF10EFA4E484AAD7BB0FF44314F108469E829AB260DB389A55DF50
                        Function 003C3673 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __CreateFrameInfo.LIBCMT ref: 003C369B
                          • Part of subcall function 003C322B: __getptd.LIBCMT ref: 003C3239
                          • Part of subcall function 003C322B: __getptd.LIBCMT ref: 003C3247
                        • __getptd.LIBCMT ref: 003C36A5
                          • Part of subcall function 003B9A33: __getptd_noexit.LIBCMT ref: 003B9A36
                          • Part of subcall function 003B9A33: __amsg_exit.LIBCMT ref: 003B9A43
                        • __getptd.LIBCMT ref: 003C36B3
                        • __getptd.LIBCMT ref: 003C36C1
                        • __getptd.LIBCMT ref: 003C36CC
                        • _CallCatchBlock2.LIBCMT ref: 003C36F2
                          • Part of subcall function 003C32D0: __CallSettingFrame@12.LIBCMT ref: 003C331C
                          • Part of subcall function 003C3799: __getptd.LIBCMT ref: 003C37A8
                          • Part of subcall function 003C3799: __getptd.LIBCMT ref: 003C37B6
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                        • String ID:
                        • API String ID: 1602911419-0
                        • Opcode ID: d763d565c34733e37fe3ff81e56b2e116bd9f0482c96402fc571334806cb9586
                        • Instruction ID: 144ce61f3c7c19d8ff4ca45c728f48babb6e7a849bd4bb58b3523062290eddf1
                        • Opcode Fuzzy Hash: d763d565c34733e37fe3ff81e56b2e116bd9f0482c96402fc571334806cb9586
                        • Instruction Fuzzy Hash: B711C6B1D04209DFDB01EFA4D845BEDBBB0FF08315F50846AF914AB251DB789A159F50
                        Function 035C4885 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 035C4891
                          • Part of subcall function 035C3E5B: __getptd_noexit.LIBCMT ref: 035C3E5E
                          • Part of subcall function 035C3E5B: __amsg_exit.LIBCMT ref: 035C3E6B
                        • __amsg_exit.LIBCMT ref: 035C48B1
                        • __lock.LIBCMT ref: 035C48C1
                        • InterlockedDecrement.KERNEL32(?), ref: 035C48DE
                        • _free.LIBCMT ref: 035C48F1
                        • InterlockedIncrement.KERNEL32(03801668), ref: 035C4909
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                        • String ID:
                        • API String ID: 3470314060-0
                        • Opcode ID: c23ea91e89b2e68c57cc095980eb4d2f47913ec86c31ce1e9478664a25d1ae56
                        • Instruction ID: ee333e4d028e99bc63e223e30230dc4521be6466cc3777689415b928efd56cd9
                        • Opcode Fuzzy Hash: c23ea91e89b2e68c57cc095980eb4d2f47913ec86c31ce1e9478664a25d1ae56
                        • Instruction Fuzzy Hash: 23017075D127929FDB22EBDAB414F59B7B0BB44B14F04000DE81067174CB745556DBD1
                        Function 003BD9FE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 003BDA0A
                          • Part of subcall function 003B9A33: __getptd_noexit.LIBCMT ref: 003B9A36
                          • Part of subcall function 003B9A33: __amsg_exit.LIBCMT ref: 003B9A43
                        • __amsg_exit.LIBCMT ref: 003BDA2A
                        • __lock.LIBCMT ref: 003BDA3A
                        • InterlockedDecrement.KERNEL32(?), ref: 003BDA57
                        • _free.LIBCMT ref: 003BDA6A
                        • InterlockedIncrement.KERNEL32(02EF2D00), ref: 003BDA82
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                        • String ID:
                        • API String ID: 3470314060-0
                        • Opcode ID: 4205dc62eb36f6cdd619a31bd819521326f3c31360d78c4ae918fe4692459748
                        • Instruction ID: 3947b5cd34c4d00f51b6c030fd279dc034b4b562427718633485f6269087eac5
                        • Opcode Fuzzy Hash: 4205dc62eb36f6cdd619a31bd819521326f3c31360d78c4ae918fe4692459748
                        • Instruction Fuzzy Hash: 4601AD31909A21EBC723AB649449BDDB364BF00728F164116EA01ABA80DB34BD81CBD5
                        Function 035B9BA0 Relevance: 9.0, APIs: 6, Instructions: 42COMMON
                        Download Yara Rule
                        APIs
                        • DeleteObject.GDI32(?), ref: 035B9BD2
                        • EnterCriticalSection.KERNEL32(035DFB64,?,?,?,035B9B7B), ref: 035B9BE3
                        • EnterCriticalSection.KERNEL32(035DFB64,?,?,?,035B9B7B), ref: 035B9BF8
                        • GdiplusShutdown.GDIPLUS(00000000,?,?,?,035B9B7B), ref: 035B9C04
                        • LeaveCriticalSection.KERNEL32(035DFB64,?,?,?,035B9B7B), ref: 035B9C15
                        • LeaveCriticalSection.KERNEL32(035DFB64,?,?,?,035B9B7B), ref: 035B9C1C
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
                        • String ID:
                        • API String ID: 4268643673-0
                        • Opcode ID: 26eb323fa8060dede0c2eaeacd55211fa02c858ea304ad5348a73ef23e269a9d
                        • Instruction ID: 78502352a3abc57db21c0d16b818d9db896bc9f8db1e65c8537702a781fd5a9b
                        • Opcode Fuzzy Hash: 26eb323fa8060dede0c2eaeacd55211fa02c858ea304ad5348a73ef23e269a9d
                        • Instruction Fuzzy Hash: 5E017CB1902304EFC724EF6AE890818BBA4FE4921533485AEE159CB226C332C417DF94
                        Function 035B48D0 Relevance: 9.0, APIs: 6, Instructions: 36sleepsynchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 035B48E1
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 035B48EC
                        • Sleep.KERNEL32(00000258), ref: 035B48F9
                        • CloseHandle.KERNEL32(?), ref: 035B4914
                        • CloseHandle.KERNEL32(?), ref: 035B491D
                        • Sleep.KERNEL32(0000012C), ref: 035B492E
                          • Part of subcall function 035B3F60: GetCurrentThreadId.KERNEL32 ref: 035B3F65
                          • Part of subcall function 035B3F60: send.WS2_32(?,035D49C0,00000010,00000000), ref: 035B3FC6
                          • Part of subcall function 035B3F60: SetEvent.KERNEL32(?), ref: 035B3FE9
                          • Part of subcall function 035B3F60: InterlockedExchange.KERNEL32(?,00000000), ref: 035B3FF5
                          • Part of subcall function 035B3F60: WSACloseEvent.WS2_32(?), ref: 035B4003
                          • Part of subcall function 035B3F60: shutdown.WS2_32(?,00000001), ref: 035B401B
                          • Part of subcall function 035B3F60: closesocket.WS2_32(?), ref: 035B4025
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close$EventHandleObjectSingleSleepWait$CurrentExchangeInterlockedThreadclosesocketsendshutdown
                        • String ID:
                        • API String ID: 1019945655-0
                        • Opcode ID: 0bd91267bbba75a6f23e4b9509687537ebe468b7b03eb86c174f50b3ac183949
                        • Instruction ID: 4a6b52193d4ef3cdcd938880b40ba933c1993c1394a3a72dc8e6b72892111b82
                        • Opcode Fuzzy Hash: 0bd91267bbba75a6f23e4b9509687537ebe468b7b03eb86c174f50b3ac183949
                        • Instruction Fuzzy Hash: 6AF096762056045BC224EB69DC84C4AF3E9EFC9720B144B09F265833A4CA70E801CBA0
                        Function 003B48C0 Relevance: 9.0, APIs: 6, Instructions: 36sleepsynchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 003B48D1
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 003B48DC
                        • Sleep.KERNEL32(00000258), ref: 003B48E9
                        • CloseHandle.KERNEL32(?), ref: 003B4904
                        • CloseHandle.KERNEL32(?), ref: 003B490D
                        • Sleep.KERNEL32(0000012C), ref: 003B491E
                          • Part of subcall function 003B3F50: GetCurrentThreadId.KERNEL32 ref: 003B3F55
                          • Part of subcall function 003B3F50: send.WS2_32(?,003C7440,00000010,00000000), ref: 003B3FB6
                          • Part of subcall function 003B3F50: SetEvent.KERNEL32(?), ref: 003B3FD9
                          • Part of subcall function 003B3F50: InterlockedExchange.KERNEL32(?,00000000), ref: 003B3FE5
                          • Part of subcall function 003B3F50: WSACloseEvent.WS2_32(?), ref: 003B3FF3
                          • Part of subcall function 003B3F50: shutdown.WS2_32(?,00000001), ref: 003B400B
                          • Part of subcall function 003B3F50: closesocket.WS2_32(?), ref: 003B4015
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: Close$EventHandleObjectSingleSleepWait$CurrentExchangeInterlockedThreadclosesocketsendshutdown
                        • String ID:
                        • API String ID: 1019945655-0
                        • Opcode ID: f1812176800e7a723345e93aca3143e494cbe6d51db5db644f3f4908a31acec2
                        • Instruction ID: 13f4b2b189eb316adfa6b724667c9cea4c29b7df185c089e8fe9665a50484c2a
                        • Opcode Fuzzy Hash: f1812176800e7a723345e93aca3143e494cbe6d51db5db644f3f4908a31acec2
                        • Instruction Fuzzy Hash: 9EF030762047105BC621EBA9DC84D4AF3E9BFD9720B114B09E269C7690CA75FC418BA4
                        Function 035B3300 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON
                        Download Yara Rule
                        APIs
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 035B3311
                        • Sleep.KERNEL32(00000258), ref: 035B331E
                        • InterlockedExchange.KERNEL32(?,00000000), ref: 035B3326
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 035B3332
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 035B333A
                        • Sleep.KERNEL32(0000012C), ref: 035B334B
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
                        • String ID:
                        • API String ID: 3137405945-0
                        • Opcode ID: fd533ae56d5f2b996ee17e7f2c9cbcbe07b1507bc80da2f28e3098432e9643a9
                        • Instruction ID: d6c134fc85a112c8f8de7850a80e550a3d5d28dd9933e8ba80d54c9854b5f013
                        • Opcode Fuzzy Hash: fd533ae56d5f2b996ee17e7f2c9cbcbe07b1507bc80da2f28e3098432e9643a9
                        • Instruction Fuzzy Hash: 8CF0A7722053046FD620EBA9DC84D46F3ECEF89334F204B09F261832E4CAB0E806DB60
                        Function 0343719F Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 240COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: _memset$_vswprintf_s
                        • String ID: D
                        • API String ID: 3424173483-2746444292
                        • Opcode ID: 2f372f8b193b55f381ae2940e49f38bf8b0d2135d2ee914d7ca5118c505ab299
                        • Instruction ID: f44fd43a0d4d44bc0b4cef333e8ea38be44f8339457bdfc8e4a11501c1ef6dc6
                        • Opcode Fuzzy Hash: 2f372f8b193b55f381ae2940e49f38bf8b0d2135d2ee914d7ca5118c505ab299
                        • Instruction Fuzzy Hash: 5381D6B19403187BE721DB618C89FEBB77CEF99700F500099F749AB181DBB05B858B68
                        Function 003B5D70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(?), ref: 003B5D88
                        • _memset.LIBCMT ref: 003B5D92
                        • lstrlenW.KERNEL32(|p1:45.207.211.42|o1:6666|t1:1|p2:45.207.211.42|o2:6666|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:), ref: 003B5D9F
                        • lstrlenW.KERNEL32(?), ref: 003B5DA7
                        Strings
                        • |p1:45.207.211.42|o1:6666|t1:1|p2:45.207.211.42|o2:6666|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:, xrefs: 003B5D9A
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: lstrlen$_memset
                        • String ID: |p1:45.207.211.42|o1:6666|t1:1|p2:45.207.211.42|o2:6666|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:
                        • API String ID: 2425037729-2872954899
                        • Opcode ID: 677067d1deb8edb600d6462da5569ad1ed5fb754182155f81e4f5ab792bfdf6d
                        • Instruction ID: 9890a9d790ecc8ea322040bf43b5dce82492be94753ed6ece029a7b0348cf917
                        • Opcode Fuzzy Hash: 677067d1deb8edb600d6462da5569ad1ed5fb754182155f81e4f5ab792bfdf6d
                        • Instruction Fuzzy Hash: FF216B76B009186BCB279F19EC54AEE739CEB54728B56426DEF05C7A00E732AD4183E1
                        Function 003B41D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON
                        Download Yara Rule
                        APIs
                        • EnterCriticalSection.KERNEL32(?,EN;,003B42AE,00000000,?,?,003B4E45,?,?,?,?,00000000,000000FF), ref: 003B41D8
                        • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,000000FF), ref: 003B41E6
                        • LeaveCriticalSection.KERNEL32(?), ref: 003B4247
                        • SetEvent.KERNEL32(?), ref: 003B4262
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: CriticalSection$Leave$EnterEvent
                        • String ID: EN;
                        • API String ID: 3394196147-1457593750
                        • Opcode ID: 3e248cdad6589f4b526b63f1adae341ed480558e043afd1b0ee856517566abcd
                        • Instruction ID: 90b532dae38e851caddf35b600f57e234e073ea14b29a766d9c7012ecb5909b2
                        • Opcode Fuzzy Hash: 3e248cdad6589f4b526b63f1adae341ed480558e043afd1b0ee856517566abcd
                        • Instruction Fuzzy Hash: 3C11E0B0A01B049FD725CF78C984AD6B7E9BF48305F55892DE55ACB612EB30F841CB40
                        Function 035D095B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • ___BuildCatchObject.LIBCMT ref: 035D096E
                          • Part of subcall function 035D08C9: ___BuildCatchObjectHelper.LIBCMT ref: 035D08FF
                        • _UnwindNestedFrames.LIBCMT ref: 035D0985
                        • ___FrameUnwindToState.LIBCMT ref: 035D0993
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                        • String ID: csm$csm
                        • API String ID: 2163707966-3733052814
                        • Opcode ID: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
                        • Instruction ID: 615ea8293853824191aed95c35a86a3d9b0a914d7ed98f7ee163edbfe45dbc73
                        • Opcode Fuzzy Hash: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
                        • Instruction Fuzzy Hash: 9301247500120ABBEF22AF55EC44EAABF7AFF48350F048014BC091A1B0D736D9B1DBA1
                        Function 003C3A20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • ___BuildCatchObject.LIBCMT ref: 003C3A33
                          • Part of subcall function 003C398E: ___BuildCatchObjectHelper.LIBCMT ref: 003C39C4
                        • _UnwindNestedFrames.LIBCMT ref: 003C3A4A
                        • ___FrameUnwindToState.LIBCMT ref: 003C3A58
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                        • String ID: csm$csm
                        • API String ID: 2163707966-3733052814
                        • Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                        • Instruction ID: c5564bd9fcbdd58e8acf02152f39b48b6aada21b87338948b9aa219aed743160
                        • Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                        • Instruction Fuzzy Hash: A601DD7600110ABBDF13AE51CC45FAB7E6AEF09354F108018BD58A9121D7729EB1EBA1
                        Function 035BB7E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002), ref: 035BB800
                        • RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 035BB810
                        • RegCloseKey.ADVAPI32(?), ref: 035BB81B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseDeleteOpenValue
                        • String ID: Console$IpDatespecial
                        • API String ID: 849931509-1840232981
                        • Opcode ID: ddb5c87e7711fb90c314c9b8261702bc799231a191d68d19531e63bf77b32fac
                        • Instruction ID: e941ac0ce52bd275b59be609c36d2e1521dc285af336d2c0c96f980f82818630
                        • Opcode Fuzzy Hash: ddb5c87e7711fb90c314c9b8261702bc799231a191d68d19531e63bf77b32fac
                        • Instruction Fuzzy Hash: 46E02632202200AFD330E764BC0FF997754F78C305F100D0DF644A5051D251D015D661
                        Function 035BB990 Relevance: 7.6, APIs: 5, Instructions: 116processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,F17FF389), ref: 035BB9DA
                        • _memset.LIBCMT ref: 035BB9FB
                        • _memset.LIBCMT ref: 035BBA4B
                        • Process32FirstW.KERNEL32(00000000,?), ref: 035BBA65
                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 035BBAB7
                          • Part of subcall function 035BF707: _malloc.LIBCMT ref: 035BF721
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32_memset$CreateFirstNextSnapshotToolhelp32_malloc
                        • String ID:
                        • API String ID: 2416807333-0
                        • Opcode ID: 1e2fa4491eaa0ddb7f588d194dde93e0ee3f8627123ce1f566c74fa2193e43c3
                        • Instruction ID: 8a9d141af25fe2d8b4bad973d2e344f75f71177b7c009969515f40e6575684ab
                        • Opcode Fuzzy Hash: 1e2fa4491eaa0ddb7f588d194dde93e0ee3f8627123ce1f566c74fa2193e43c3
                        • Instruction Fuzzy Hash: D741E471E00205DEDB20EFA0EC45FEAB7B4FF44714F048694E9159B2A0E7B19A44CB91
                        Function 034395EF Relevance: 7.6, APIs: 5, Instructions: 108COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$_malloc_memset
                        • String ID:
                        • API String ID: 2102557794-0
                        • Opcode ID: e53316d21375d094fd0d01ad1aa4a9b8896b5686d1183deebe2b3030ce136b07
                        • Instruction ID: 9e0c6b7fdb553f12ce02453402ce1455efde2b4f6d8cd189bfc081c388c74c59
                        • Opcode Fuzzy Hash: e53316d21375d094fd0d01ad1aa4a9b8896b5686d1183deebe2b3030ce136b07
                        • Instruction Fuzzy Hash: 7931AFB26413056BE710DF2AD880757B7A8BB4D310F08813BD9198F790E7F1E4658BA9
                        Function 035B3CA0 Relevance: 7.6, APIs: 5, Instructions: 98networkCOMMON
                        Download Yara Rule
                        APIs
                        • recv.WS2_32(?,?,00000598,00000000), ref: 035B3CBF
                        • SetLastError.KERNEL32(00000000,?,?,035B399F,?,?,00000000,000000FF,00000000), ref: 035B3CFA
                        • GetLastError.KERNEL32(00000000), ref: 035B3D45
                        • WSAGetLastError.WS2_32(?,?,035B399F,?,?,00000000,000000FF,00000000), ref: 035B3D7B
                        • WSASetLastError.WS2_32(0000000D,?,?,035B399F,?,?,00000000,000000FF,00000000), ref: 035B3DA2
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$recv
                        • String ID:
                        • API String ID: 316788870-0
                        • Opcode ID: 98a2268a0c2d19aefc00951ab7ddb9ac1ba78f2ee129b1023296a4f34bff2cbd
                        • Instruction ID: 7db9beed8af1dc79ac722de37182011382f12927dc6a5b73b7a253a3c1021894
                        • Opcode Fuzzy Hash: 98a2268a0c2d19aefc00951ab7ddb9ac1ba78f2ee129b1023296a4f34bff2cbd
                        • Instruction Fuzzy Hash: 0531F67A6042008FEB64DF68F8C8BE97779FB84360F050576ED05EB2A9D731E8858B51
                        Function 035C0EEB Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _malloc.LIBCMT ref: 035C0EF9
                          • Part of subcall function 035BF673: __FF_MSGBANNER.LIBCMT ref: 035BF68C
                          • Part of subcall function 035BF673: __NMSG_WRITE.LIBCMT ref: 035BF693
                          • Part of subcall function 035BF673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,035C4500,00000000,00000001,00000000,?,035C8DE6,00000018,035D6448,0000000C,035C8E76), ref: 035BF6B8
                        • _free.LIBCMT ref: 035C0F0C
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap_free_malloc
                        • String ID:
                        • API String ID: 1020059152-0
                        • Opcode ID: 1f84f06d416e4b20491a38659c8e9bc3cf9759b73657a1fa0f6d3a2cc3409f3f
                        • Instruction ID: 41c452057ac02abb386d45c3714f4ac69651277dbce4778bea7cea4d0f33eacb
                        • Opcode Fuzzy Hash: 1f84f06d416e4b20491a38659c8e9bc3cf9759b73657a1fa0f6d3a2cc3409f3f
                        • Instruction Fuzzy Hash: 1A119436529656FECB21AFB5BC04A9E3779BF802A4B24442DF8499B1F0DA30C5D18B94
                        Function 003BE617 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _malloc.LIBCMT ref: 003BE625
                          • Part of subcall function 003B7043: __FF_MSGBANNER.LIBCMT ref: 003B705C
                          • Part of subcall function 003B7043: __NMSG_WRITE.LIBCMT ref: 003B7063
                          • Part of subcall function 003B7043: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,003BA0B0,?,00000001,?,?,003BC10B,00000018,003C7C70,0000000C,003BC19B), ref: 003B7088
                        • _free.LIBCMT ref: 003BE638
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: AllocateHeap_free_malloc
                        • String ID:
                        • API String ID: 1020059152-0
                        • Opcode ID: 1e8e1ae07b9e496a0751d32e85df07e66521fce741cedc64c0145e5cd661ecf5
                        • Instruction ID: f1bac8b253a143258d736f3d75bf712eb7e0c22b22b676aae39258c8baf73b6a
                        • Opcode Fuzzy Hash: 1e8e1ae07b9e496a0751d32e85df07e66521fce741cedc64c0145e5cd661ecf5
                        • Instruction Fuzzy Hash: 39110A328045156BCB233B78AC05BDD37A8DFE0368F254826FB04DED50DF3598409794
                        Function 0343F3E8 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: ___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                        • String ID:
                        • API String ID: 955811338-0
                        • Opcode ID: 7820054a35e6ddd4bb865db21a2500f6fa213131538873e4e8a0834fb54b6030
                        • Instruction ID: e9950c7628bf59f9dfd010ebba6f63c84c42110a6cc9b4a5fe37a5dbd78dd52a
                        • Opcode Fuzzy Hash: 7820054a35e6ddd4bb865db21a2500f6fa213131538873e4e8a0834fb54b6030
                        • Instruction Fuzzy Hash: 8911253A508306BFFB10EFA5DC40D9B7798EF2A674710002FF9148F290DB71C4168669
                        Function 035B2C10 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                        Download Yara Rule
                        APIs
                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 035B2C3F
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 035B2C55
                        • TranslateMessage.USER32(?), ref: 035B2C64
                        • DispatchMessageW.USER32(?), ref: 035B2C6A
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 035B2C78
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
                        • String ID:
                        • API String ID: 2015114452-0
                        • Opcode ID: 8cb9291bf101583225f4ed2a601db3bf092691b06b3e46b050e850563b3cb86e
                        • Instruction ID: badc0de6de80fb2ec9d808299a363ee845c1a25e441ac3d530c0d2264a111294
                        • Opcode Fuzzy Hash: 8cb9291bf101583225f4ed2a601db3bf092691b06b3e46b050e850563b3cb86e
                        • Instruction Fuzzy Hash: 0101A972A5130DB6E720E694AC81FFA737CBB04B10F504D11FB10EB0D4D6A5E40597B5
                        Function 003B2BD0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                        Download Yara Rule
                        APIs
                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 003B2BFF
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 003B2C15
                        • TranslateMessage.USER32(?), ref: 003B2C24
                        • DispatchMessageW.USER32(?), ref: 003B2C2A
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003B2C38
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
                        • String ID:
                        • API String ID: 2015114452-0
                        • Opcode ID: 85ee87785cabf334ee81601bdc45067155ac074f9d8efc7ac2ab1c840babfee9
                        • Instruction ID: 5deebe1d49ceb9d024b019f2c70845f7d0b10e8f8dbee86496ea2186be149f5f
                        • Opcode Fuzzy Hash: 85ee87785cabf334ee81601bdc45067155ac074f9d8efc7ac2ab1c840babfee9
                        • Instruction Fuzzy Hash: 2D018172A80209BAEE12DB999C41FFF776CAB54B14F204611FB11EA4D4DAA0F84187A4
                        Function 035B4B70 Relevance: 7.5, APIs: 6, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                        • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 035B4B83
                        • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 035B4B8D
                        • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 035B4BA0
                        • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 035B4BA3
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$EnterLeave
                        • String ID:
                        • API String ID: 3168844106-0
                        • Opcode ID: 773d05cacf979aacb281719baec80f6606bcd88bcfa50411554377ac3bef5a69
                        • Instruction ID: 5081cef5b745c1414708c1bda433d8ec3c24e0a267c8d6f7cb2df3013d42c2fe
                        • Opcode Fuzzy Hash: 773d05cacf979aacb281719baec80f6606bcd88bcfa50411554377ac3bef5a69
                        • Instruction Fuzzy Hash: 1F018F762016148BD730EB2AFCC4B9BB7F8FB88214F050869F14683214C734E84ACA60
                        Function 0344FF6D Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __CreateFrameInfo.LIBCMT ref: 0344FF95
                          • Part of subcall function 0344FA76: __getptd.LIBCMT ref: 0344FA84
                          • Part of subcall function 0344FA76: __getptd.LIBCMT ref: 0344FA92
                        • __getptd.LIBCMT ref: 0344FF9F
                          • Part of subcall function 0344381A: __getptd_noexit.LIBCMT ref: 0344381D
                          • Part of subcall function 0344381A: __amsg_exit.LIBCMT ref: 0344382A
                        • __getptd.LIBCMT ref: 0344FFAD
                        • __getptd.LIBCMT ref: 0344FFBB
                        • __getptd.LIBCMT ref: 0344FFC6
                          • Part of subcall function 0344FB1B: __CallSettingFrame@12.LIBCMT ref: 0344FB67
                          • Part of subcall function 03450093: __getptd.LIBCMT ref: 034500A2
                          • Part of subcall function 03450093: __getptd.LIBCMT ref: 034500B0
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                        • String ID:
                        • API String ID: 3282538202-0
                        • Opcode ID: 5f1381efd39d468ef928fc2953ab13acdae555040b7c1ee41bdff31c76f18644
                        • Instruction ID: 8ec0dca53a22bed208e1c6fde04cffbd7887c8faca19ada8930958a7b1d64ddc
                        • Opcode Fuzzy Hash: 5f1381efd39d468ef928fc2953ab13acdae555040b7c1ee41bdff31c76f18644
                        • Instruction Fuzzy Hash: 0B11C979D00309DFEF00EFA5D444AADBBB1FF04715F10856AE814AF251DB3899159F54
                        Function 003B4B60 Relevance: 7.5, APIs: 6, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                        • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 003B4B73
                        • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 003B4B7D
                        • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 003B4B90
                        • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 003B4B93
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: CriticalSection$EnterLeave
                        • String ID:
                        • API String ID: 3168844106-0
                        • Opcode ID: ac63831f9befc413bc1a071bb74cc71a0c0a609e8a89dabf98ef37a8c4489272
                        • Instruction ID: 8f024f01394e8c133b53aa0a2e29e2915463a7237f381dd48a36d8543b511eda
                        • Opcode Fuzzy Hash: ac63831f9befc413bc1a071bb74cc71a0c0a609e8a89dabf98ef37a8c4489272
                        • Instruction Fuzzy Hash: 6B014F766006249BD721DB29FCC4B9BB7ECEB88718F014829E646C3611C774FC858BA4
                        Function 035B2D30 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                        • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 035B2D5C
                        • CancelIo.KERNEL32(?), ref: 035B2D66
                        • InterlockedExchange.KERNEL32(00000000,00000000), ref: 035B2D6F
                        • closesocket.WS2_32(?), ref: 035B2D79
                        • SetEvent.KERNEL32(00000001), ref: 035B2D83
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                        • String ID:
                        • API String ID: 1486965892-0
                        • Opcode ID: 945bab16ee1f97a267aeeac64953bb414ac460da8dfdd3c95a8addb4c8f01ae9
                        • Instruction ID: 779efdf3472e3b074c4aedab9dd5786a888ef9ab48cce64c3fc6b2a2986b2864
                        • Opcode Fuzzy Hash: 945bab16ee1f97a267aeeac64953bb414ac460da8dfdd3c95a8addb4c8f01ae9
                        • Instruction Fuzzy Hash: F7F08C76101300ABC330AF94ED08F6673B8BB48B11F004A0CF68292694C6B0B5099BA0
                        Function 035C5006 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 035C5012
                          • Part of subcall function 035C3E5B: __getptd_noexit.LIBCMT ref: 035C3E5E
                          • Part of subcall function 035C3E5B: __amsg_exit.LIBCMT ref: 035C3E6B
                        • __getptd.LIBCMT ref: 035C5029
                        • __amsg_exit.LIBCMT ref: 035C5037
                        • __lock.LIBCMT ref: 035C5047
                        • __updatetlocinfoEx_nolock.LIBCMT ref: 035C505B
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                        • String ID:
                        • API String ID: 938513278-0
                        • Opcode ID: f222a8ff31fd9f3a333a1374b8cb12edaa0ce0f1f78436971bd5c6efc613b99e
                        • Instruction ID: 35555c874a3d974abfdd9fec5ad1f598d6a044aa5f28df25f2bc8d67a158383d
                        • Opcode Fuzzy Hash: f222a8ff31fd9f3a333a1374b8cb12edaa0ce0f1f78436971bd5c6efc613b99e
                        • Instruction Fuzzy Hash: 95F0CD3A920782DED672FBEAB401B4D63B0BB81B28F10450CD515AB2B1DB386442CA96
                        Function 034449C5 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 034449D1
                          • Part of subcall function 0344381A: __getptd_noexit.LIBCMT ref: 0344381D
                          • Part of subcall function 0344381A: __amsg_exit.LIBCMT ref: 0344382A
                        • __getptd.LIBCMT ref: 034449E8
                        • __amsg_exit.LIBCMT ref: 034449F6
                        • __lock.LIBCMT ref: 03444A06
                        • __updatetlocinfoEx_nolock.LIBCMT ref: 03444A1A
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                        • String ID:
                        • API String ID: 938513278-0
                        • Opcode ID: b8df328af2ca13b15628588c2ddeec9715aad909c858093188abaa4f1f59b7b1
                        • Instruction ID: f9fb83d80eab3e7f08ee9c1d46df92a36e11a120f0ff6910540adb4b9529f949
                        • Opcode Fuzzy Hash: b8df328af2ca13b15628588c2ddeec9715aad909c858093188abaa4f1f59b7b1
                        • Instruction Fuzzy Hash: E8F06D3A9047109EFB20FF7A9802B4A76A0AB00A20F25826FD514AF391CB2489419A5D
                        Function 003BE180 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 003BE18C
                          • Part of subcall function 003B9A33: __getptd_noexit.LIBCMT ref: 003B9A36
                          • Part of subcall function 003B9A33: __amsg_exit.LIBCMT ref: 003B9A43
                        • __getptd.LIBCMT ref: 003BE1A3
                        • __amsg_exit.LIBCMT ref: 003BE1B1
                        • __lock.LIBCMT ref: 003BE1C1
                        • __updatetlocinfoEx_nolock.LIBCMT ref: 003BE1D5
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                        • String ID:
                        • API String ID: 938513278-0
                        • Opcode ID: ffc8fe2c9282813a1d5949632dad495ebda778658fadf23a3e82b0a46ee2fb75
                        • Instruction ID: e02674011073dc0e83cd07b5b21d0454d6f4d66a6babae628e58b9ab7d21d0ba
                        • Opcode Fuzzy Hash: ffc8fe2c9282813a1d5949632dad495ebda778658fadf23a3e82b0a46ee2fb75
                        • Instruction Fuzzy Hash: 1DF096329487109BD723B77CD806BD933A06F04719F21414AF715AFDC2CF7459019B55
                        Function 035BC910 Relevance: 7.5, APIs: 5, Instructions: 33processCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 035BC932
                        • GetCommandLineW.KERNEL32 ref: 035BC938
                        • GetStartupInfoW.KERNEL32(?), ref: 035BC947
                        • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 035BC96F
                        • ExitProcess.KERNEL32 ref: 035BC977
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
                        • String ID:
                        • API String ID: 3421218197-0
                        • Opcode ID: 5ac0e5f1e725420cad6aa1c47669cf95e675e1c329483cb3af8463c9d0f4dd79
                        • Instruction ID: 35b976a8896178beda7a58ab73bfc843a5e49981ff3d28fc952349f69bd668d7
                        • Opcode Fuzzy Hash: 5ac0e5f1e725420cad6aa1c47669cf95e675e1c329483cb3af8463c9d0f4dd79
                        • Instruction Fuzzy Hash: 62F0BB31585318BBD730EBA0DC4DFDA7778FB04700F104654B715A60E4DA706A59DF54
                        Function 035B75B0 Relevance: 7.5, APIs: 5, Instructions: 33processCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 035B75D2
                        • GetCommandLineW.KERNEL32 ref: 035B75D8
                        • GetStartupInfoW.KERNEL32(?), ref: 035B75E7
                        • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 035B760F
                        • ExitProcess.KERNEL32 ref: 035B7617
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
                        • String ID:
                        • API String ID: 3421218197-0
                        • Opcode ID: 9248eb123d1768c0e142ca1fc2e048da5a3f26aa6f7d6c382067cb8f8e5ae785
                        • Instruction ID: e8a88ae58e767ea4267a3b00cda20bdfeab2ca5f87db1f0b117c1e9ff3ed5d86
                        • Opcode Fuzzy Hash: 9248eb123d1768c0e142ca1fc2e048da5a3f26aa6f7d6c382067cb8f8e5ae785
                        • Instruction Fuzzy Hash: B4F0B471586319BBE730ABA0EC4DFD97778EB04B00F104694B719A60D4D6706A5ACF54
                        Function 035BF9B8 Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 035C1CD0: _doexit.LIBCMT ref: 035C1CDC
                        • ___set_flsgetvalue.LIBCMT ref: 035BF9CA
                          • Part of subcall function 035C3CA0: TlsGetValue.KERNEL32(00000000,035C3DF9,?,035C4500,00000000,00000001,00000000,?,035C8DE6,00000018,035D6448,0000000C,035C8E76,00000000,00000000), ref: 035C3CA9
                          • Part of subcall function 035C3CA0: DecodePointer.KERNEL32(?,035C4500,00000000,00000001,00000000,?,035C8DE6,00000018,035D6448,0000000C,035C8E76,00000000,00000000,?,035C3F06,0000000D), ref: 035C3CBB
                          • Part of subcall function 035C3CA0: TlsSetValue.KERNEL32(00000000,?,035C4500,00000000,00000001,00000000,?,035C8DE6,00000018,035D6448,0000000C,035C8E76,00000000,00000000,?,035C3F06), ref: 035C3CCA
                        • ___fls_getvalue@4.LIBCMT ref: 035BF9D5
                          • Part of subcall function 035C3C80: TlsGetValue.KERNEL32(?,?,035BF9DA,00000000), ref: 035C3C8E
                        • ___fls_setvalue@8.LIBCMT ref: 035BF9E8
                          • Part of subcall function 035C3CD4: DecodePointer.KERNEL32(?,?,?,035BF9ED,00000000,?,00000000), ref: 035C3CE5
                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 035BF9F1
                        • ExitThread.KERNEL32 ref: 035BF9F8
                        • GetCurrentThreadId.KERNEL32 ref: 035BF9FE
                        • __freefls@4.LIBCMT ref: 035BFA1E
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                        • String ID:
                        • API String ID: 781180411-0
                        • Opcode ID: 52264a52f3e5c6567f604b1abf88643ccb1dcf7b9b1ac6a6a04d75124358db89
                        • Instruction ID: e235c5f7ee106ad881d2cdcf67582a23a1b07403915d0e8ff011c954d84d1e01
                        • Opcode Fuzzy Hash: 52264a52f3e5c6567f604b1abf88643ccb1dcf7b9b1ac6a6a04d75124358db89
                        • Instruction Fuzzy Hash: BFE01A2DA2139E7FCB10B7F1AD0988E7A3C7D80189F144404FA049A020EA2C9D1186A2
                        Function 003B736A Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 003B83D2: _doexit.LIBCMT ref: 003B83DE
                        • ___set_flsgetvalue.LIBCMT ref: 003B737C
                          • Part of subcall function 003B9878: TlsGetValue.KERNEL32(7FFFFFFF,003B99D1,?,?,?,?,?,?,003BAF67,?,?,E07698D6,00000000,?,003B772F,?), ref: 003B9881
                          • Part of subcall function 003B9878: DecodePointer.KERNEL32(?,?,?,?,?,?,003BAF67,?,?,E07698D6,00000000,?,003B772F,?,00000000,0000000A), ref: 003B9893
                          • Part of subcall function 003B9878: TlsSetValue.KERNEL32(00000000,?,?,?,?,?,?,003BAF67,?,?,E07698D6,00000000,?,003B772F,?,00000000), ref: 003B98A2
                        • ___fls_getvalue@4.LIBCMT ref: 003B7387
                          • Part of subcall function 003B9858: TlsGetValue.KERNEL32(?,?,003B738C,00000000), ref: 003B9866
                        • ___fls_setvalue@8.LIBCMT ref: 003B739A
                          • Part of subcall function 003B98AC: DecodePointer.KERNEL32(?,?,?,003B739F,00000000,?,00000000), ref: 003B98BD
                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 003B73A3
                        • ExitThread.KERNEL32 ref: 003B73AA
                        • GetCurrentThreadId.KERNEL32 ref: 003B73B0
                        • __freefls@4.LIBCMT ref: 003B73D0
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                        • String ID:
                        • API String ID: 781180411-0
                        • Opcode ID: c67145f597000a1840f14465233b99623dd3dd80ee0a10e91381091d8c64c450
                        • Instruction ID: f76c53fdc2b9465f7099c256d72ded8498e46a2dcb983827c569b09e0ad86d83
                        • Opcode Fuzzy Hash: c67145f597000a1840f14465233b99623dd3dd80ee0a10e91381091d8c64c450
                        • Instruction Fuzzy Hash: 5BE0B6658046296B8F0337B19C0EADF3AADDD42349B554412FF15DB912EF28E85187E2
                        Function 0343780F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 131COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: _memset$_vswprintf_s
                        • String ID: D
                        • API String ID: 3424173483-2746444292
                        • Opcode ID: cf7116fa26cd05665a4fc66a2bfa2b13dadcbba7699ed49424b3b1d6dc26d4e0
                        • Instruction ID: b649eab9e4a2c4b51fc6289dde2cfd58bf978262061a8539513053e43cb53350
                        • Opcode Fuzzy Hash: cf7116fa26cd05665a4fc66a2bfa2b13dadcbba7699ed49424b3b1d6dc26d4e0
                        • Instruction Fuzzy Hash: 124194B5940218AFEB20DB61DC94FDEB7BCAB49700F1042D9E649AB181D6B05B85CF58
                        Function 035B9430 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 035B944A
                          • Part of subcall function 035BEF86: std::exception::exception.LIBCMT ref: 035BEF9B
                          • Part of subcall function 035BEF86: __CxxThrowException@8.LIBCMT ref: 035BEFB0
                          • Part of subcall function 035BEF86: std::exception::exception.LIBCMT ref: 035BEFC1
                        • std::_Xinvalid_argument.LIBCPMT ref: 035B9482
                          • Part of subcall function 035BEF39: std::exception::exception.LIBCMT ref: 035BEF4E
                          • Part of subcall function 035BEF39: __CxxThrowException@8.LIBCMT ref: 035BEF63
                          • Part of subcall function 035BEF39: std::exception::exception.LIBCMT ref: 035BEF74
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                        • String ID: invalid string position$string too long
                        • API String ID: 1823113695-4289949731
                        • Opcode ID: a51b261d51ca12070454cee3b6fc1a415a32f15e065068b1797963adff9ad074
                        • Instruction ID: aa8085f92d58691ad1eda8d70e33cf13900329b9c8d0c0630a139f07f6c2bd78
                        • Opcode Fuzzy Hash: a51b261d51ca12070454cee3b6fc1a415a32f15e065068b1797963adff9ad074
                        • Instruction Fuzzy Hash: 272196377002119BC721DE6CF8809EAF7B9FFD1665B240A6FE296CB660D761D840C7A1
                        Function 035B84B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 035B84C9
                          • Part of subcall function 035BEF86: std::exception::exception.LIBCMT ref: 035BEF9B
                          • Part of subcall function 035BEF86: __CxxThrowException@8.LIBCMT ref: 035BEFB0
                          • Part of subcall function 035BEF86: std::exception::exception.LIBCMT ref: 035BEFC1
                        • std::_Xinvalid_argument.LIBCPMT ref: 035B84E7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                        • String ID: invalid string position$string too long
                        • API String ID: 963545896-4289949731
                        • Opcode ID: 9e989ed76fc4984d3f64cde2b4919ae780a987389ab32009e77732d30557aa9e
                        • Instruction ID: 1922c02e09b6aa72818b8bc7daa26336798dc8123d16f7cba752e6c3ce484fb2
                        • Opcode Fuzzy Hash: 9e989ed76fc4984d3f64cde2b4919ae780a987389ab32009e77732d30557aa9e
                        • Instruction Fuzzy Hash: 39218E31700346AFC714DF6CF8809A9B3BDBF883147145569E516CB661E730E954CB90
                        Function 003B2C60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52networkCOMMON
                        Download Yara Rule
                        APIs
                        • WSAStartup.WS2_32(00000202,?), ref: 003B2CBF
                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 003B2CCA
                        • InterlockedExchange.KERNEL32(00000018,00000000), ref: 003B2CD8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: CreateEventExchangeInterlockedStartup
                        • String ID: <t<
                        • API String ID: 784645330-3054241171
                        • Opcode ID: 8a74a98f1e72ecd8c87e70f58f3c55f70126a748f48f3548dce49dda9654bfc4
                        • Instruction ID: 315b2f2e8fa876eda219b299f67a23cbc3f46e87110e0a7021b87c16147690f8
                        • Opcode Fuzzy Hash: 8a74a98f1e72ecd8c87e70f58f3c55f70126a748f48f3548dce49dda9654bfc4
                        • Instruction Fuzzy Hash: A711BDB1910B408FC3318F2B9945957FBF8BF95710B404A1FE99AC6AA0DBB0B044CF91
                        Function 0345031A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • ___BuildCatchObject.LIBCMT ref: 0345032D
                          • Part of subcall function 03450288: ___BuildCatchObjectHelper.LIBCMT ref: 034502BE
                        • _UnwindNestedFrames.LIBCMT ref: 03450344
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: BuildCatchObject$FramesHelperNestedUnwind
                        • String ID: csm$csm
                        • API String ID: 3487967840-3733052814
                        • Opcode ID: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
                        • Instruction ID: 73da7ecef9e35382110ecafdba1c6c04d68ba9597faf238f953b46c075f6f41b
                        • Opcode Fuzzy Hash: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
                        • Instruction Fuzzy Hash: 9901D679401209BFEF129E52CC44EEA7E6AFF18354F044026BD181D521D7369962DAA9
                        Function 035BD830 Relevance: 6.4, APIs: 5, Instructions: 140COMMON
                        Download Yara Rule
                        APIs
                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 035BD868
                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 035BD938
                        • SetLastError.KERNEL32(0000007F), ref: 035BD963
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Read$ErrorLast
                        • String ID:
                        • API String ID: 2715074504-0
                        • Opcode ID: 8aa42bebfaeeca007ff82d1db78fc6c9405237d0798b1e120b3f2eec9894c690
                        • Instruction ID: 826f6023757b8355d9b0822c0d275385c7e90ce00a0b7670fe4f6fb905a787dd
                        • Opcode Fuzzy Hash: 8aa42bebfaeeca007ff82d1db78fc6c9405237d0798b1e120b3f2eec9894c690
                        • Instruction Fuzzy Hash: BF419E71A00205ABDB20DF99E880FAAF3F9FF88314F148599E85997361D771F911CB50
                        Function 034439D3 Relevance: 6.1, APIs: 4, Instructions: 109COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: __calloc_crt__init_pointers__mtterm_free
                        • String ID:
                        • API String ID: 3556499859-0
                        • Opcode ID: 76c9643fd1df18821398edaab6323fbd9f0414cbbe87c74b2baaec3723e64a7d
                        • Instruction ID: 5f2e144cf90fb513adfa27623f5872803cad9ed3b31ba905617bdf498cf8dd0d
                        • Opcode Fuzzy Hash: 76c9643fd1df18821398edaab6323fbd9f0414cbbe87c74b2baaec3723e64a7d
                        • Instruction Fuzzy Hash: B4317C35902730AEFB12EF758C98A17BFA4EB44A60B24452BF9109E2B1E7308061DF44
                        Function 035CA5C2 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 035CA5F6
                        • __isleadbyte_l.LIBCMT ref: 035CA629
                        • MultiByteToWideChar.KERNEL32(00000080,00000009,035DFBA0,?,035D2564,00000000,?,?,?,?,035DFBA0,035D2564), ref: 035CA65A
                        • MultiByteToWideChar.KERNEL32(00000080,00000009,035DFBA0,00000001,035D2564,00000000,?,?,?,?,035DFBA0,035D2564), ref: 035CA6C8
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                        • String ID:
                        • API String ID: 3058430110-0
                        • Opcode ID: 4d8c480c78c8d015aaa6982577076d88e2ab018cb25fdf3c379430ae835b0969
                        • Instruction ID: 83efe6939e86729e640ba6f362943792d85c38147bed5bdc866d18e9ea76a7cf
                        • Opcode Fuzzy Hash: 4d8c480c78c8d015aaa6982577076d88e2ab018cb25fdf3c379430ae835b0969
                        • Instruction Fuzzy Hash: 763193319202CAEFDF21DFE4E8809A97FB5BF01215F1985ADE5518B1A2D330D980DB90
                        Function 003BE465 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003BE499
                        • __isleadbyte_l.LIBCMT ref: 003BE4CC
                        • MultiByteToWideChar.KERNEL32(00000080,00000009,003CAB6C,?,003C5314,00000000,?,?,?,?,003CAB6C,003C5314), ref: 003BE4FD
                        • MultiByteToWideChar.KERNEL32(00000080,00000009,003CAB6C,00000001,003C5314,00000000,?,?,?,?,003CAB6C,003C5314), ref: 003BE56B
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                        • String ID:
                        • API String ID: 3058430110-0
                        • Opcode ID: 96035f3fde59749d09f30c19e1bfb593f7699ccd411b3d905da49a3174a765a9
                        • Instruction ID: 23104d8187ee6b0290d285df149f60555c6d61d278df511900eab123a034f454
                        • Opcode Fuzzy Hash: 96035f3fde59749d09f30c19e1bfb593f7699ccd411b3d905da49a3174a765a9
                        • Instruction Fuzzy Hash: EA31E131A00255EFDB22DF69C884AF93BB5FF01319F168569F6658B991E330DD40DB50
                        Function 035B8020 Relevance: 6.1, APIs: 4, Instructions: 91stringCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrlen$_memset
                        • String ID:
                        • API String ID: 2425037729-0
                        • Opcode ID: ac120693c3ae343330275b549688f084c2f8b97813f7965e76b5eeafea090a6d
                        • Instruction ID: d12d1ed756179e5146e786308c9ab26ea34c7759ccc6fe661b664e2aa0c6c205
                        • Opcode Fuzzy Hash: ac120693c3ae343330275b549688f084c2f8b97813f7965e76b5eeafea090a6d
                        • Instruction Fuzzy Hash: 0921087670024D9BCB14CE58FC809FEB3BDFBC4790B19506DED0587221E731995187A0
                        Function 035B4380 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON
                        Download Yara Rule
                        APIs
                        • SetLastError.KERNEL32(0000139F), ref: 035B43EC
                          • Part of subcall function 035B13A0: HeapAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 035B13CB
                          • Part of subcall function 035B41E0: EnterCriticalSection.KERNEL32(035B4FB5,035B4E55,035B42BE,00000000,?,?,035B4E55,?,?,?,?,00000000,000000FF), ref: 035B41E8
                          • Part of subcall function 035B41E0: LeaveCriticalSection.KERNEL32(035B4FB5,?,?,?,00000000,000000FF), ref: 035B41F6
                          • Part of subcall function 035B4C70: HeapFree.KERNEL32(?,00000000,?,00000000,035B4E55,?,035B42C8,035B4E55,00000000,?,?,035B4E55,?), ref: 035B4C97
                        • SetLastError.KERNEL32(00000000,?), ref: 035B43D7
                        • SetLastError.KERNEL32(00000057), ref: 035B4401
                        • WSAGetLastError.WS2_32(?), ref: 035B4410
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$CriticalHeapSection$AllocEnterFreeLeave
                        • String ID:
                        • API String ID: 2060118545-0
                        • Opcode ID: dc5cbb31cdac7001a9c0a605cf441564b08b5c39b9463ce5001dd4e13dd833d5
                        • Instruction ID: 02d15666bc3ed101613cf5210e61e3f2eea1ee4e0863e91fc391faee554136c7
                        • Opcode Fuzzy Hash: dc5cbb31cdac7001a9c0a605cf441564b08b5c39b9463ce5001dd4e13dd833d5
                        • Instruction Fuzzy Hash: CA11CA7AA0551C97C720EF7AF8449DEB7B8FFC4232B0845A6EC0DD7211D735991146E1
                        Function 003B4370 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON
                        Download Yara Rule
                        APIs
                        • SetLastError.KERNEL32(0000139F), ref: 003B43DC
                          • Part of subcall function 003B13A0: HeapAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 003B13CB
                          • Part of subcall function 003B41D0: EnterCriticalSection.KERNEL32(?,EN;,003B42AE,00000000,?,?,003B4E45,?,?,?,?,00000000,000000FF), ref: 003B41D8
                          • Part of subcall function 003B41D0: LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,000000FF), ref: 003B41E6
                          • Part of subcall function 003B4C60: HeapFree.KERNEL32(?,00000000,?,00000000,EN;,?,003B42B8,EN;,00000000,?,?,003B4E45,?), ref: 003B4C87
                        • SetLastError.KERNEL32(00000000,?), ref: 003B43C7
                        • SetLastError.KERNEL32(00000057), ref: 003B43F1
                        • WSAGetLastError.WS2_32(?), ref: 003B4400
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: ErrorLast$CriticalHeapSection$AllocEnterFreeLeave
                        • String ID:
                        • API String ID: 2060118545-0
                        • Opcode ID: 44455baded2c6ed683abaa78b583b5eebcb34443b597663e37cb9d93f175d117
                        • Instruction ID: 0c51e2cfb048dc94ca0838a8427fe0de55584fd1791dec8e09c5cb22be2f9b95
                        • Opcode Fuzzy Hash: 44455baded2c6ed683abaa78b583b5eebcb34443b597663e37cb9d93f175d117
                        • Instruction Fuzzy Hash: A7113636A0142C9B8712EF69B8849EEB7E8EF84326F0401AAFE0CD7601D634AC1147E4
                        Function 035BDE70 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 035BDE93
                        • _free.LIBCMT ref: 035BDED5
                        • GetProcessHeap.KERNEL32(00000000,00000000,035BDC95), ref: 035BDEFC
                        • HeapFree.KERNEL32(00000000), ref: 035BDF03
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap_free$FreeProcess
                        • String ID:
                        • API String ID: 1072109031-0
                        • Opcode ID: 356d85a9e888906f0b7b14e7a722a553114dd6dc36b144874a993266f3714640
                        • Instruction ID: c1c458f8dee76c8e3f1faca0d4ab26aeb25c080a9db71bcf020021f66801c608
                        • Opcode Fuzzy Hash: 356d85a9e888906f0b7b14e7a722a553114dd6dc36b144874a993266f3714640
                        • Instruction Fuzzy Hash: 44113771600B009BD630DF64DC45BA7B3FABB84710F18891CE59A87AA0D774F842CB91
                        Function 035B3BF0 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON
                        Download Yara Rule
                        APIs
                        • WSAEventSelect.WS2_32(?,035B3ABB,00000023), ref: 035B3C02
                        • WSAGetLastError.WS2_32 ref: 035B3C0D
                        • send.WS2_32(?,00000000,00000000,00000000), ref: 035B3C58
                        • WSAGetLastError.WS2_32 ref: 035B3C63
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$EventSelectsend
                        • String ID:
                        • API String ID: 259408233-0
                        • Opcode ID: 03b70171521231e0cfc92fb1858cb51660f76e5cd79ddd19fd07ad62b7d4d83d
                        • Instruction ID: 549db214b460251db5b43e7e4257299b3857a318dde51abadc2e73784c1eb3ee
                        • Opcode Fuzzy Hash: 03b70171521231e0cfc92fb1858cb51660f76e5cd79ddd19fd07ad62b7d4d83d
                        • Instruction Fuzzy Hash: 731151B5600B009BD730DF79E888A97B6F9BF88710F110A2DE566C7A60D731E4019B50
                        Function 003B3BD0 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON
                        Download Yara Rule
                        APIs
                        • WSAEventSelect.WS2_32(?,003B3A9B,00000023), ref: 003B3BE2
                        • WSAGetLastError.WS2_32 ref: 003B3BED
                        • send.WS2_32(?,00000000,00000000,00000000), ref: 003B3C38
                        • WSAGetLastError.WS2_32 ref: 003B3C43
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: ErrorLast$EventSelectsend
                        • String ID:
                        • API String ID: 259408233-0
                        • Opcode ID: e2eea29c5b882da168cb1e76f2b03b535ca27ea636af3c80e610ddad9e85e2f1
                        • Instruction ID: cbbffec44ce7a4b9761d9cb6a6debd8cb6489b9a19541a22c8b2124cfbe6f297
                        • Opcode Fuzzy Hash: e2eea29c5b882da168cb1e76f2b03b535ca27ea636af3c80e610ddad9e85e2f1
                        • Instruction Fuzzy Hash: A1114FB2601B109BD3219B79D888A9BBBE9FB88714F014A1DE657C7A51D771F8408B50
                        Function 035CBDEB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                        • String ID:
                        • API String ID: 3016257755-0
                        • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                        • Instruction ID: bb7edb2479e094d186a0c2deb85c37e8522ca0ebe73275bb531dae2359e4ade1
                        • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                        • Instruction Fuzzy Hash: 2F114B3601018EBFCF169EC4EC12CEE3F66BB58658B588559FA1859130C736C9B1AB91
                        Function 0344B7AA Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                        • String ID:
                        • API String ID: 3016257755-0
                        • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                        • Instruction ID: 5b43ac89ec42e56a36c2ad50927e0d7c527c7b164c48d9c8167fbcaf504bfd23
                        • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                        • Instruction Fuzzy Hash: A3117E7600014ABBDF129E85CC51CEE7F26FB08250F088426FAA85C230C236C5B2AB85
                        Function 003BF336 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                        • String ID:
                        • API String ID: 3016257755-0
                        • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                        • Instruction ID: c28e1fa75e27161773fb54c4d184758f9ba0b5f900c1975b79aedd3c73b8a1c2
                        • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                        • Instruction Fuzzy Hash: 17117B3A00014ABFCF135E98CC51CEE3F66BB08358B199924FB1898831C336C9B1AB81
                        Function 03444244 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 03444250
                          • Part of subcall function 0344381A: __getptd_noexit.LIBCMT ref: 0344381D
                          • Part of subcall function 0344381A: __amsg_exit.LIBCMT ref: 0344382A
                        • __amsg_exit.LIBCMT ref: 03444270
                        • __lock.LIBCMT ref: 03444280
                        • _free.LIBCMT ref: 034442B0
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
                        • String ID:
                        • API String ID: 3170801528-0
                        • Opcode ID: 5ef467ea6fd3a6922cde44d000b760b61804c61db5949c02be97e0f772367ebf
                        • Instruction ID: 707f2fb960098d177c5136da706dc758ad45a7a30bbb20c5d9f6dabc982701ab
                        • Opcode Fuzzy Hash: 5ef467ea6fd3a6922cde44d000b760b61804c61db5949c02be97e0f772367ebf
                        • Instruction Fuzzy Hash: B6016135D01771EBFB20EF66884479AB7A0BB04BA0F59416BE8106F390CB345992CBDD
                        Function 035B41E0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                        Download Yara Rule
                        APIs
                        • EnterCriticalSection.KERNEL32(035B4FB5,035B4E55,035B42BE,00000000,?,?,035B4E55,?,?,?,?,00000000,000000FF), ref: 035B41E8
                        • LeaveCriticalSection.KERNEL32(035B4FB5,?,?,?,00000000,000000FF), ref: 035B41F6
                        • LeaveCriticalSection.KERNEL32(035B4FB5), ref: 035B4257
                        • SetEvent.KERNEL32(8520468B), ref: 035B4272
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$Leave$EnterEvent
                        • String ID:
                        • API String ID: 3394196147-0
                        • Opcode ID: 02ca91da669445339604dd398464b5a67d0420f78180b9b7053e99e1a530727e
                        • Instruction ID: d63ba174e939fe6e588727c39097a92f332e9a957d891e8e945cf64604990c5c
                        • Opcode Fuzzy Hash: 02ca91da669445339604dd398464b5a67d0420f78180b9b7053e99e1a530727e
                        • Instruction Fuzzy Hash: C411F2B0601B059FDB25CF75D584AD6B7F9BF48300F15896DE49A87221EB31E806DB00
                        Function 035B4B00 Relevance: 6.0, APIs: 4, Instructions: 45timeCOMMON
                        Download Yara Rule
                        APIs
                        • timeGetTime.WINMM(00000001,?,00000001,?,035B3C4F,?,?,00000001), ref: 035B4B15
                        • InterlockedIncrement.KERNEL32(00000001), ref: 035B4B24
                        • InterlockedIncrement.KERNEL32(00000001), ref: 035B4B31
                        • timeGetTime.WINMM(?,035B3C4F,?,?,00000001), ref: 035B4B48
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: IncrementInterlockedTimetime
                        • String ID:
                        • API String ID: 159728177-0
                        • Opcode ID: 07e566eecb813d031868516ea0d44ddb097ddf66d9def3cc5c44f81e2a995817
                        • Instruction ID: 7e848ebf071301af5b21d65c6d6a9062ff6a87294f3403e490a510811a8ba293
                        • Opcode Fuzzy Hash: 07e566eecb813d031868516ea0d44ddb097ddf66d9def3cc5c44f81e2a995817
                        • Instruction Fuzzy Hash: 1701C8B56017099FC760EF6ED88098AFBFCBF58650700892EE549C7611E674E5458FA0
                        Function 003B4AF0 Relevance: 6.0, APIs: 4, Instructions: 45timeCOMMON
                        Download Yara Rule
                        APIs
                        • timeGetTime.WINMM(00000001,?,00000001,?,003B3C2F,?,?,00000001), ref: 003B4B05
                        • InterlockedIncrement.KERNEL32(00000001), ref: 003B4B14
                        • InterlockedIncrement.KERNEL32(00000001), ref: 003B4B21
                        • timeGetTime.WINMM(?,003B3C2F,?,?,00000001), ref: 003B4B38
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: IncrementInterlockedTimetime
                        • String ID:
                        • API String ID: 159728177-0
                        • Opcode ID: d73b15a4bfc63192f5c6e6180471fa4f4f0d077b2978d426da47317a58e7c972
                        • Instruction ID: 6172207898a3ad8396c47e4615222d8f2d67636c97ee925a6f54dd15c2675524
                        • Opcode Fuzzy Hash: d73b15a4bfc63192f5c6e6180471fa4f4f0d077b2978d426da47317a58e7c972
                        • Instruction Fuzzy Hash: FF0108B1600B049FCB20DF6AD88098AFBFCBF58750700892EE649C7611E671F5448FE0
                        Function 035B3660 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON
                        Download Yara Rule
                        APIs
                        • CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 035B3667
                        • _free.LIBCMT ref: 035B369C
                          • Part of subcall function 035BF639: RtlFreeHeap.NTDLL(00000000,00000000,?,035C3E4C,00000000,?,035C4500,00000000,00000001,00000000,?,035C8DE6,00000018,035D6448,0000000C,035C8E76), ref: 035BF64F
                          • Part of subcall function 035BF639: GetLastError.KERNEL32(00000000,?,035C3E4C,00000000,?,035C4500,00000000,00000001,00000000,?,035C8DE6,00000018,035D6448,0000000C,035C8E76,00000000), ref: 035BF661
                        • _malloc.LIBCMT ref: 035B36D7
                        • _memset.LIBCMT ref: 035B36E5
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
                        • String ID:
                        • API String ID: 3340475617-0
                        • Opcode ID: 04d2d7c314e2c2fa37efdc8d424cea63fe86cc1d1af76a2beb93c77d26080d72
                        • Instruction ID: a26a93bcfe5f4683bf61e96b8fc353e1e4a49e98d9eb2fd3b7ca421e05dfd21c
                        • Opcode Fuzzy Hash: 04d2d7c314e2c2fa37efdc8d424cea63fe86cc1d1af76a2beb93c77d26080d72
                        • Instruction Fuzzy Hash: 0901C8B5900B459FE360DF7A9881B97BBF9FB85214F14482ED5AE87311D630A8058F60
                        Function 003B3640 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON
                        Download Yara Rule
                        APIs
                        • CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 003B3647
                        • _free.LIBCMT ref: 003B367C
                          • Part of subcall function 003B7009: HeapFree.KERNEL32(00000000,00000000,?,003B9A24,00000000,?,?,?,?,?,?,003BAF67,?,?,E07698D6,00000000), ref: 003B701F
                          • Part of subcall function 003B7009: GetLastError.KERNEL32(00000000,?,003B9A24,00000000,?,?,?,?,?,?,003BAF67,?,?,E07698D6,00000000), ref: 003B7031
                        • _malloc.LIBCMT ref: 003B36B7
                        • _memset.LIBCMT ref: 003B36C5
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
                        • String ID:
                        • API String ID: 3340475617-0
                        • Opcode ID: c12e2327eb864ba76a0e830aeb31212405268a32746aa4f645f0de99b0b29fe1
                        • Instruction ID: 474f347502d9ede0afe3bfa67b8e9700339dbc12b3b19d469626e42e6179568c
                        • Opcode Fuzzy Hash: c12e2327eb864ba76a0e830aeb31212405268a32746aa4f645f0de99b0b29fe1
                        • Instruction Fuzzy Hash: 2301DEB1900B04DFE3609F7A98C1BD7B7E9EB85358F11482EE5AEC7702D63469048F60
                        Function 0343F0C6 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                        Download Yara Rule
                        APIs
                        • _malloc.LIBCMT ref: 0343F0E0
                          • Part of subcall function 0343F032: __FF_MSGBANNER.LIBCMT ref: 0343F04B
                          • Part of subcall function 0343F032: __NMSG_WRITE.LIBCMT ref: 0343F052
                        • std::exception::exception.LIBCMT ref: 0343F115
                        • std::exception::exception.LIBCMT ref: 0343F12F
                        • __CxxThrowException@8.LIBCMT ref: 0343F140
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::exception::exception$Exception@8Throw_malloc
                        • String ID:
                        • API String ID: 2388904642-0
                        • Opcode ID: b08fdf8cb5e3b65abb6e8e2bd981c9ae2de8ac343fbf2f6e0fd6789c4a68690e
                        • Instruction ID: d3224a154780cd7bf9f774cdb9c6aec7e96038bad1177593faccc98187bb1bc1
                        • Opcode Fuzzy Hash: b08fdf8cb5e3b65abb6e8e2bd981c9ae2de8ac343fbf2f6e0fd6789c4a68690e
                        • Instruction Fuzzy Hash: 25F0D135800315AFEB15EB99DC14AAF7AB9AB4A644F94406EE800AF1D0CB718A468B48
                        Function 035BCD80 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 035B1420: HeapFree.KERNEL32(?,00000000,?,?,?,035B40B1,?,00000000,035B4039,?,7591DFA0,035B3648), ref: 035B143D
                          • Part of subcall function 035B1420: _free.LIBCMT ref: 035B1459
                        • HeapDestroy.KERNEL32(00000000), ref: 035BCD93
                        • HeapCreate.KERNEL32(?,?,?), ref: 035BCDA5
                        • _free.LIBCMT ref: 035BCDB5
                        • HeapDestroy.KERNEL32 ref: 035BCDE2
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$Destroy_free$CreateFree
                        • String ID:
                        • API String ID: 4097506873-0
                        • Opcode ID: e5e523b65e18814a0a18d4adca062ba6f7fa16efa3759834362496917222a895
                        • Instruction ID: db8b6f58f3c898c1ee223e8d205d388067e220f17e50177238ed925f328935d8
                        • Opcode Fuzzy Hash: e5e523b65e18814a0a18d4adca062ba6f7fa16efa3759834362496917222a895
                        • Instruction Fuzzy Hash: F2F03CB91017029FD720DF24E808B93FBB8FF84750F15491CE8598B660D734E856CBA0
                        Function 003B6650 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 003B1420: HeapFree.KERNEL32(?,00000000,?,?,?,003B40A1,?,00000000,003B4029,?,7591DFA0,003B3628), ref: 003B143D
                          • Part of subcall function 003B1420: _free.LIBCMT ref: 003B1459
                        • HeapDestroy.KERNEL32(00000000), ref: 003B6663
                        • HeapCreate.KERNEL32(?,?,?), ref: 003B6675
                        • _free.LIBCMT ref: 003B6685
                        • HeapDestroy.KERNEL32 ref: 003B66B2
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: Heap$Destroy_free$CreateFree
                        • String ID:
                        • API String ID: 4097506873-0
                        • Opcode ID: 5d900fda940a7cdfa336dd0270777aa5f2bf6286659fd778d4835a205ca6745d
                        • Instruction ID: f42241e5b89ca5835568ea97a2579ab912931ed05b315894aaf0ec89b3d03afa
                        • Opcode Fuzzy Hash: 5d900fda940a7cdfa336dd0270777aa5f2bf6286659fd778d4835a205ca6745d
                        • Instruction Fuzzy Hash: 6EF037B5600B029BD7129F25E819B93B7F8FF84714F15451CE959C7A40DB34F851CB90
                        Function 0343F383 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: ___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                        • String ID:
                        • API String ID: 865245655-0
                        • Opcode ID: 966baa02cbab0462d49951f9c363315c70f1ec3e6bd818d3c9011fc18f246283
                        • Instruction ID: 8dc63957287e80ab60d34e39fcb05c6191c940c87690d1dc7cfd69790d0c7458
                        • Opcode Fuzzy Hash: 966baa02cbab0462d49951f9c363315c70f1ec3e6bd818d3c9011fc18f246283
                        • Instruction Fuzzy Hash: 88F0127D800351AFE718EFA2C94880E7BA9AF49604724846EE9058F321DB35D456CA99
                        Function 03439E1F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free_malloc
                        • String ID: &
                        • API String ID: 845055658-3042966939
                        • Opcode ID: 96f475fef29d70f25b531db5fbbeac76c6573e20d4e1e8de80fbd7a54519110d
                        • Instruction ID: 692a462564ff45bd6a82c6d672761d802314eacc750bd806a5fbfd2468ea0206
                        • Opcode Fuzzy Hash: 96f475fef29d70f25b531db5fbbeac76c6573e20d4e1e8de80fbd7a54519110d
                        • Instruction Fuzzy Hash: 33517075D00219AFDB00DFE5C885AEEB7B8AF4D310F14815AE915AF350D7B4A906CBA8
                        Function 003B4940 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143timeCOMMON
                        Download Yara Rule
                        APIs
                        • timeGetTime.WINMM(?,?,00000000,?,?,00000000,000000FF), ref: 003B49F5
                        • _memmove.LIBCMT ref: 003B4A93
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: Time_memmovetime
                        • String ID: [Q;
                        • API String ID: 1463837790-2365824370
                        • Opcode ID: c80170b8759ea3c62be92f841b8894a652f10aac46ac1673a3f18f1b5cd9fd47
                        • Instruction ID: 28a7a25bea51cbd1b346e475c0ad28e5bba29bcfdff1f53fcd0980c482b75912
                        • Opcode Fuzzy Hash: c80170b8759ea3c62be92f841b8894a652f10aac46ac1673a3f18f1b5cd9fd47
                        • Instruction Fuzzy Hash: 9751C2727002019FD712DF69C8D4AABB7A9FF44358B158628EA59CBB02DB31FC41C798
                        Function 0343C2CF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: _memset_wcsrchr
                        • String ID: D
                        • API String ID: 1675014779-2746444292
                        • Opcode ID: 33755d0d90415e906da9a50ddc9bc49a521c4156b0782e9f3a7ff0a8b9499a4f
                        • Instruction ID: a25dd4a91bbd61f5b349d730a885de2ba35360323efaab22ff990625606df9a7
                        • Opcode Fuzzy Hash: 33755d0d90415e906da9a50ddc9bc49a521c4156b0782e9f3a7ff0a8b9499a4f
                        • Instruction Fuzzy Hash: F13116729402187BE720D7A49C89FEFB76CEB19710F140129FA0AAF1C1DA715906C6A5
                        Function 035BB19D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 035BBC70: GetDesktopWindow.USER32 ref: 035BBC8F
                          • Part of subcall function 035BBC70: GetDC.USER32(00000000), ref: 035BBC9C
                          • Part of subcall function 035BBC70: CreateCompatibleDC.GDI32(00000000), ref: 035BBCA2
                          • Part of subcall function 035BBC70: GetDC.USER32(00000000), ref: 035BBCAD
                          • Part of subcall function 035BBC70: GetDeviceCaps.GDI32(00000000,00000008), ref: 035BBCBA
                          • Part of subcall function 035BBC70: GetDeviceCaps.GDI32(00000000,00000076), ref: 035BBCC2
                          • Part of subcall function 035BBC70: ReleaseDC.USER32(00000000,00000000), ref: 035BBCD3
                          • Part of subcall function 035BBC70: GetSystemMetrics.USER32(0000004C), ref: 035BBD78
                          • Part of subcall function 035BBC70: GetSystemMetrics.USER32(0000004D), ref: 035BBD8D
                          • Part of subcall function 035BBC70: CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 035BBDA6
                          • Part of subcall function 035BBC70: SelectObject.GDI32(?,00000000), ref: 035BBDB4
                          • Part of subcall function 035BBC70: SetStretchBltMode.GDI32(?,00000003), ref: 035BBDC0
                          • Part of subcall function 035BBC70: GetSystemMetrics.USER32(0000004F), ref: 035BBDCD
                          • Part of subcall function 035BBC70: GetSystemMetrics.USER32(0000004E), ref: 035BBDE0
                          • Part of subcall function 035BF707: _malloc.LIBCMT ref: 035BF721
                        • _memset.LIBCMT ref: 035BB1E1
                        • swprintf.LIBCMT ref: 035BB204
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: MetricsSystem$CapsCompatibleCreateDevice$BitmapDesktopModeObjectReleaseSelectStretchWindow_malloc_memsetswprintf
                        • String ID: %s %s
                        • API String ID: 1028806752-581060391
                        • Opcode ID: f122af6f14641fa9932f4c3b2d8df8a7a5a46c96c832eaa7833b868157219f24
                        • Instruction ID: e22de45bad3277ae41bc530e5d748b807fb8916b9321825454835b763b225fed
                        • Opcode Fuzzy Hash: f122af6f14641fa9932f4c3b2d8df8a7a5a46c96c832eaa7833b868157219f24
                        • Instruction Fuzzy Hash: AC21B4B6904341ABD210EA59BC81E9FB7F8BFD9714F08092DF8895A221E6709904C7A3
                        Function 035B9100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 035B9115
                          • Part of subcall function 035BEF39: std::exception::exception.LIBCMT ref: 035BEF4E
                          • Part of subcall function 035BEF39: __CxxThrowException@8.LIBCMT ref: 035BEF63
                          • Part of subcall function 035BEF39: std::exception::exception.LIBCMT ref: 035BEF74
                        • std::_Xinvalid_argument.LIBCPMT ref: 035B9128
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                        • String ID: string too long
                        • API String ID: 963545896-2556327735
                        • Opcode ID: 5e3c55a2d2b8bed493a49aa4134ac326092aecb2c4351b9056f3c937caa3aaee
                        • Instruction ID: d940540178e43aba5dd4f97bf9d04318f535a73111d63a779a13ffcc45102696
                        • Opcode Fuzzy Hash: 5e3c55a2d2b8bed493a49aa4134ac326092aecb2c4351b9056f3c937caa3aaee
                        • Instruction Fuzzy Hash: 8511B6753043919BC331CE2CF804A9AB7F9FBD6661F240A6AE291CB761D771D805D3A4
                        Function 035B93F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                        Download Yara Rule
                        APIs
                        • __CxxThrowException@8.LIBCMT ref: 035B941D
                        • std::_Xinvalid_argument.LIBCPMT ref: 035B944A
                        Strings
                        • invalid string position, xrefs: 035B9445
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: Exception@8ThrowXinvalid_argumentstd::_
                        • String ID: invalid string position
                        • API String ID: 3614006799-1799206989
                        • Opcode ID: 0fe303e40afc20167b2b1f1fc358f49b9d9ad61477e4645d7d97ab0710e034ad
                        • Instruction ID: 82eb8b56d90debb2080072af80af0f14505dc7c166dfceecec1740dc4b3c8e29
                        • Opcode Fuzzy Hash: 0fe303e40afc20167b2b1f1fc358f49b9d9ad61477e4645d7d97ab0710e034ad
                        • Instruction Fuzzy Hash: 0201F7366003015BC324EE68F8807D9F3B5BF81620F24092DE2528F6A0D771A94483E0
                        Function 035BF7BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __output_l.LIBCMT ref: 035BF815
                          • Part of subcall function 035BF91B: __getptd_noexit.LIBCMT ref: 035BF91B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: __getptd_noexit__output_l
                        • String ID: B
                        • API String ID: 2141734944-1255198513
                        • Opcode ID: 5bc75878e19a99f8b3291bc09011d637415e77d2edc72ea821797cd9c84227ee
                        • Instruction ID: a4408bafc70b41958480d7529e120f470ca612dd880de106a0f6317e6fde1c12
                        • Opcode Fuzzy Hash: 5bc75878e19a99f8b3291bc09011d637415e77d2edc72ea821797cd9c84227ee
                        • Instruction Fuzzy Hash: 1801807590024AAFDF00DFA5EC01BFEBBB8FB44364F14415AF924AA2A0D7749501CBB5
                        Function 0343F179 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __output_l.LIBCMT ref: 0343F1D4
                          • Part of subcall function 0343F2DA: __getptd_noexit.LIBCMT ref: 0343F2DA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: __getptd_noexit__output_l
                        • String ID: B
                        • API String ID: 2141734944-1255198513
                        • Opcode ID: 24d6c1a3e6102abc97be550d239efeb380074cf53a155cef3fbb89e81f64d6ff
                        • Instruction ID: 52e2448487fd744ffc44217570041edf65bbe8e018031f653217d830b048d11d
                        • Opcode Fuzzy Hash: 24d6c1a3e6102abc97be550d239efeb380074cf53a155cef3fbb89e81f64d6ff
                        • Instruction Fuzzy Hash: DF016575D002099FDF10DFA5DC01AEEBBB4EB09364F144116E824AB280D7749545CBA5
                        Function 003B718A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __output_l.LIBCMT ref: 003B71E5
                          • Part of subcall function 003B72CD: __getptd_noexit.LIBCMT ref: 003B72CD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: __getptd_noexit__output_l
                        • String ID: ma;h
                        • API String ID: 2141734944-3737540487
                        • Opcode ID: fcf08f49f40388620a7c9c7b68327058aeb0c7f02f70e2ad0512892781dfb2e1
                        • Instruction ID: 8991d69390082bc60d0c54a9d2cf5511ebdd482eef0565a5f5e08088d7136f34
                        • Opcode Fuzzy Hash: fcf08f49f40388620a7c9c7b68327058aeb0c7f02f70e2ad0512892781dfb2e1
                        • Instruction Fuzzy Hash: F5016D719042599BDF029FA8CC01AEEBBB8FB44368F100115FA24AA281E7749901DBB5
                        Function 035B9570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 035B957F
                          • Part of subcall function 035BEF86: std::exception::exception.LIBCMT ref: 035BEF9B
                          • Part of subcall function 035BEF86: __CxxThrowException@8.LIBCMT ref: 035BEFB0
                          • Part of subcall function 035BEF86: std::exception::exception.LIBCMT ref: 035BEFC1
                        • _memmove.LIBCMT ref: 035B95B5
                        Strings
                        • invalid string position, xrefs: 035B957A
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                        • String ID: invalid string position
                        • API String ID: 1785806476-1799206989
                        • Opcode ID: 6f90ca04e7a46cd30f2779e4f1342669f15862716e513ad498d0f887728b4816
                        • Instruction ID: 75e48af1cf79512c634bec7696db117346ec7c6e313f41d9fade25a1fc9b9346
                        • Opcode Fuzzy Hash: 6f90ca04e7a46cd30f2779e4f1342669f15862716e513ad498d0f887728b4816
                        • Instruction Fuzzy Hash: 65018F317403018BD325CE6CFC946AAB3F6BFC55007280E28D282CB6A9D7B1EC4247A4
                        Function 035BD1C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 035BD1D4
                          • Part of subcall function 035BEF39: std::exception::exception.LIBCMT ref: 035BEF4E
                          • Part of subcall function 035BEF39: __CxxThrowException@8.LIBCMT ref: 035BEF63
                          • Part of subcall function 035BEF39: std::exception::exception.LIBCMT ref: 035BEF74
                        • _memmove.LIBCMT ref: 035BD20D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                        • String ID: vector<T> too long
                        • API String ID: 1785806476-3788999226
                        • Opcode ID: b0be369fa7182f21aa68d029f69a313a6f4d1b6430e500230d187718b865f58f
                        • Instruction ID: b0ee9b399fedec5583a5b1fb6664f189d55e75e979327004a6b4b9f0a9265f87
                        • Opcode Fuzzy Hash: b0be369fa7182f21aa68d029f69a313a6f4d1b6430e500230d187718b865f58f
                        • Instruction Fuzzy Hash: 9401DD769006125FC708EF6DF881CAEBBF8F6442503490139FC12CB638D770A94A97E0
                        Function 035B8430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                        Download Yara Rule
                        APIs
                        • std::_Xinvalid_argument.LIBCPMT ref: 035B8443
                          • Part of subcall function 035BEF39: std::exception::exception.LIBCMT ref: 035BEF4E
                          • Part of subcall function 035BEF39: __CxxThrowException@8.LIBCMT ref: 035BEF63
                          • Part of subcall function 035BEF39: std::exception::exception.LIBCMT ref: 035BEF74
                        • _memmove.LIBCMT ref: 035B846E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                        • String ID: vector<T> too long
                        • API String ID: 1785806476-3788999226
                        • Opcode ID: 2b5328a1586e5710b17ecf3fa147497e7d096b08143e2de101989cee1463252d
                        • Instruction ID: a073b893aa3b37d2546f32684b43279784b4ed989026c79d802e04e6f2b4522d
                        • Opcode Fuzzy Hash: 2b5328a1586e5710b17ecf3fa147497e7d096b08143e2de101989cee1463252d
                        • Instruction Fuzzy Hash: 1E0162B160030A9FDB24DFA9EC919BBB3F9FB54214718492DE457C7760EA30F8018761
                        Function 0344FD07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: CallFrame@12Setting__getptd
                        • String ID: j
                        • API String ID: 3454690891-2137352139
                        • Opcode ID: 90659ebcae58fcf1a05544bb40a9ab719d54a7eef93821734f71d7871a8b8079
                        • Instruction ID: b2af0764b7b82589d07295a63ced800f2405ca55b53ba888b726f6a93be736c1
                        • Opcode Fuzzy Hash: 90659ebcae58fcf1a05544bb40a9ab719d54a7eef93821734f71d7871a8b8079
                        • Instruction Fuzzy Hash: C1118BB5800215DFEB10DF59C0447ADFB71FF00714F1981AAD4662F282C370AA59CB89
                        Function 035D06D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 035D010A: __getptd.LIBCMT ref: 035D0110
                          • Part of subcall function 035D010A: __getptd.LIBCMT ref: 035D0120
                        • __getptd.LIBCMT ref: 035D06E3
                          • Part of subcall function 035C3E5B: __getptd_noexit.LIBCMT ref: 035C3E5E
                          • Part of subcall function 035C3E5B: __amsg_exit.LIBCMT ref: 035C3E6B
                        • __getptd.LIBCMT ref: 035D06F1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506546140.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035B0000, based on PE: true
                        • Associated: 00000000.00000002.4506546140.00000000035E4000.00000040.00001000.00020000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_35b0000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: __getptd$__amsg_exit__getptd_noexit
                        • String ID: csm
                        • API String ID: 803148776-1018135373
                        • Opcode ID: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                        • Instruction ID: cbc3e0c440ef51e90eb8310fe144ddac9eb6ffcd8ba03ff8e8859124ed19059a
                        • Opcode Fuzzy Hash: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                        • Instruction Fuzzy Hash: B30112388003068ECF75EE69E484AADB7B9BB44211F68886ED0599F2B0DB74D581CF41
                        Function 03450093 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 034500A2
                          • Part of subcall function 0344381A: __getptd_noexit.LIBCMT ref: 0344381D
                          • Part of subcall function 0344381A: __amsg_exit.LIBCMT ref: 0344382A
                        • __getptd.LIBCMT ref: 034500B0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4506492650.0000000003430000.00000040.00001000.00020000.00000000.sdmp, Offset: 03430000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3430000_icivfhp7cR.jbxd
                        Yara matches
                        Similarity
                        • API ID: __getptd$__amsg_exit__getptd_noexit
                        • String ID: csm
                        • API String ID: 803148776-1018135373
                        • Opcode ID: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                        • Instruction ID: d73ac26bcad40ba8a8e13d3e3236cec52da83dfdd70336d596b14a91d8f1f50a
                        • Opcode Fuzzy Hash: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                        • Instruction Fuzzy Hash: 8F015639C003018FDF24DF65D4506AEB7B8AB00212F28856FE8C1AE252CB3199958B0A
                        Function 003C3799 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 003C327E: __getptd.LIBCMT ref: 003C3284
                          • Part of subcall function 003C327E: __getptd.LIBCMT ref: 003C3294
                        • __getptd.LIBCMT ref: 003C37A8
                          • Part of subcall function 003B9A33: __getptd_noexit.LIBCMT ref: 003B9A36
                          • Part of subcall function 003B9A33: __amsg_exit.LIBCMT ref: 003B9A43
                        • __getptd.LIBCMT ref: 003C37B6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4505685300.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                        • Associated: 00000000.00000002.4505644381.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505706492.00000000003C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505724025.00000000003C9000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.4505769832.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3b0000_icivfhp7cR.jbxd
                        Similarity
                        • API ID: __getptd$__amsg_exit__getptd_noexit
                        • String ID: csm
                        • API String ID: 803148776-1018135373
                        • Opcode ID: b6df51cf0bd50e8a3f4545857898d45d6830f72e6c8bdfca11c47be0234717bf
                        • Instruction ID: 7935bd82e24cc4247d4ba55f006a844b154031529c80b837b439f7b2245fd336
                        • Opcode Fuzzy Hash: b6df51cf0bd50e8a3f4545857898d45d6830f72e6c8bdfca11c47be0234717bf
                        • Instruction Fuzzy Hash: EB018B708007058BCF36AF22C440FAEBBB5AF00310F65842EE441DA661CB30EF85CB61